Prevent Posting Work Info to Unauthorised Services
Employees should avoid sharing work details on websites not approved by the organisation.
Plain language
This control is about making sure that employees do not share work-related information on websites or services that the company hasn't approved. It matters because if sensitive work details end up on the wrong sites, it could lead to data breaches, reputational damage, and financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Dec 2019
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted.
Why it matters
Posting work information to unauthorised online services can cause data leakage, reputational damage, and regulatory or financial impacts.
Operational notes
Maintain a clear list of authorised online services, brief staff not to post work info elsewhere, and require immediate reporting and removal requests for any unauthorised posts.
Implementation tips
- Managers should communicate to employees which online services are approved for sharing work information. This can be done by sending out a clear list of authorised platforms via email or in a staff meeting and explaining why these services are safe to use.
- The IT team must monitor network activity to identify any unauthorised postings of work information. They can do this by setting up alerts for uploads to websites not on the approved list, and reviewing these alerts regularly.
- HR should train new employees as part of their onboarding process about which platforms are authorised for work-related communications. Include this information in the employee handbook and conduct a short quiz to ensure understanding.
- Team leaders should remind their teams regularly in meetings not to use personal email accounts or social media to share work information. Encourage questions and clarify what is considered work information to make it clear.
- The legal team should ensure there is a clear policy in place about online posting of work information. This policy should be reviewed bi-annually to adapt to new threats or changes in digital communication tools.
Audit / evidence tips
-
Askthe list of approved online services for sharing work information
Goodis a recently updated list reflecting current safe platforms for work data
-
Goodincludes documented incidents and responses that align with the policy
-
Goodhas completed assessments with scores showing understanding across new staff
-
Askto see minutes or notes from team meetings that include reminders about information posting rules. Review how often these reminders are given and any feedback received
Goodincludes regular updates and positive feedback from staff
-
Goodfeatures clear guidelines and a designated review schedule
Cross-framework mappings
How ISM-0820 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.4 | ISM-0820 sets a specific personnel behaviour expectation: do not post work information to unauthorised online services and report if it h... | |
| handshake Supports (2) expand_less | ||
| Annex A 6.4 | Annex A 6.4 requires organisations to formalise and communicate disciplinary actions for information security policy violations | |
| Annex A 6.6 | ISM-0820 focuses on preventing unauthorised disclosure by advising personnel not to post work information to unauthorised online services... | |
| link Related (1) expand_less | ||
| Annex A 6.8 | Annex A 6.8 requires defined mechanisms for reporting information security events and suspected weaknesses promptly | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.