Restrict Access of Private Devices to Secret Systems
Private devices must not access data or systems classified as SECRET or TOP SECRET.
Plain language
This control means that personal devices like your own mobile phone or home computer should not be used to access really sensitive information or systems at your workplace. It matters because if personal devices, which might not be as secure, are used to access sensitive data, it could lead to that information being stolen or misused, causing serious harm to your organisation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Enterprise mobilityOfficial control statement
Privately-owned mobile devices and desktop computers do not access SECRET and TOP SECRET systems or data.
Why it matters
Allowing privately-owned devices to access SECRET/TOP SECRET systems increases malware and exfiltration risk, causing classified data compromise and major operational harm.
Operational notes
Block BYOD at network and identity layers: enforce certificate-based allowlists, NAC/MDM checks, and regularly review logs to detect any private device connections.
Implementation tips
- IT manager should create a list of systems and data classified as SECRET and TOP SECRET. This means identifying which systems hold highly sensitive information. Communicate with departments to ensure all such systems are included and marked accordingly.
- HR should update company policies to clearly state that personal devices are not allowed to access these classified systems. Draft a simple policy document and ensure all staff members read and acknowledge it. Regularly remind employees through email or during meetings.
- The IT team should set up network tools to prevent unauthorised devices from connecting to SECRET and TOP SECRET systems. This involves configuring the organisation's network settings to block access from non-company devices. Test by connecting a personal device and ensuring access is denied.
- System owners should conduct regular training sessions for employees about the importance of this control. Design and conduct short workshops or online modules to highlight risks associated with using private devices for accessing sensitive data and outline alternative secure access methods.
- Managers should routinely check compliance with the no-private-device policy during team meetings. Use a checklist to verify team members are using company-approved devices for accessing sensitive systems. Make compliance a part of regular performance reviews to ensure adherence.
Audit / evidence tips
- AskThe list of systems classified as SECRET and TOP SECRET: Request a document detailing these systems GoodIs a well-documented list reviewed and approved by senior leadership
- AskThe updated policy document on device usage: Request the policy that outlines that personal devices are not allowed on sensitive systems GoodIs an accessible and periodically reviewed document acknowledged by all staff members
- AskNetwork configuration logs: Request logs or proof showing network setups prevent private device access to sensitive systems GoodIs logs showing consistent blocking of unauthorised devices and recent updates to network security settings
- AskTraining completion records: Request a training completion report for all staff on this policy GoodIs consistent participation across departments and positive feedback from staff indicating understanding of the policy
- AskTo see compliance review notes: Request records of meetings where compliance with the policy was discussed GoodIs comprehensive notes showing consistent checks and follow-up actions where necessary
Cross-framework mappings
How ISM-0694 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.15 | ISM-0694 mandates that privately-owned devices are not permitted to access SECRET and TOP SECRET systems or data | |
| Annex A 8.3 | ISM-0694 requires an explicit prohibition on privately-owned devices accessing SECRET and TOP SECRET systems or data | |
| handshake Supports (2) expand_less | ||
| Annex A 8.20 | ISM-0694 requires preventing privately-owned devices from accessing SECRET and TOP SECRET systems or data | |
| Annex A 8.22 | ISM-0694 requires that privately-owned mobile devices and desktop computers do not access SECRET and TOP SECRET systems or data | |
| extension Depends on (1) expand_less | ||
| Annex A 5.12 | ISM-0694 enforces an access restriction specifically tied to SECRET and TOP SECRET classifications and to privately-owned devices | |
| link Related (1) expand_less | ||
| Annex A 6.7 | Annex A 6.7 addresses protecting information when personnel work remotely, including controlling which devices can access organisational ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.