Avoid Using Unauthorised Online File Services
Staff should not use online services for files unless approved to avoid security risks.
Plain language
This control means that everyone in your organisation should avoid using any online file services that haven't been approved. This is important because using unapproved services can expose your organisation's data to cyber threats, such as hacking, data theft, or accidental exposure, which could damage your reputation or lead to financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2018
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Personnel are advised not to send or receive files via unauthorised online services.
Why it matters
Using unauthorised online file services can expose sensitive data to cyber threats, risking data breaches and reputational damage.
Operational notes
Publish approved file transfer services, block unauthorised file-sharing sites, and train staff not to upload or download files via unapproved platforms.
Implementation tips
- Managers should identify and communicate which online file services are approved for use within the organisation. To do this, compile a list of approved services and share this list with all staff through an easily accessible document or an internal website.
- The IT team should regularly review and update the list of approved online services. They can do this by conducting quarterly assessments of available services to ensure they meet the organisation's security standards and updating the list accordingly.
- HR should include training on the approved services as part of the onboarding process for new staff. This can be done by integrating a short module on file-sharing risks and approved services into the employee induction program.
- System owners should ensure that any file sharing features on their systems are configured to use only authorised services. They can do this by setting system permissions and conducting regular checks to ensure these permissions are enforced.
- All staff should be encouraged to report any use of unauthorised services they encounter. This can be achieved by setting up a clear reporting process, such as a designated email address, and reminding staff through regular communications about the importance of using approved services.
Audit / evidence tips
- AskThe list of approved online file services: Request a copy of the document or internal webpage listing the services GoodIs a list reviewed in the past six months with clear approval indicators
- AskA recent IT service audit report: Request documents showing the audits conducted for compliance with this control GoodWould show a complete match with no discrepancies
- AskRecords of staff training on approved services: Request attendance logs or training completion records GoodIs evidence of mandatory training for all staff within the last year
- AskAbout the process for updating approved services: Request documented procedures or policies GoodWould include a well-defined review cycle and approval process
- AskRecords of any incidents involving unauthorised services: Request logs or reports of any such security issues GoodWould show proactive measures taken and improvements in the process
Cross-framework mappings
How ISM-0824 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.10 | ISM-0824 advises personnel not to send or receive files via unauthorised online file services to reduce security risk | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.19 | ISM-0824 advises personnel not to send or receive files via unauthorised online services | |
| handshake Supports (2) expand_less | ||
| Annex A 5.4 | ISM-0824 sets an expected behaviour: personnel should avoid unauthorised online file services for sending or receiving files | |
| Annex A 6.3 | ISM-0824 advises personnel not to send or receive files via unauthorised online file services | |
| link Related (1) expand_less | ||
| Annex A 6.7 | Annex A 6.7 requires organisations to protect information when personnel work remotely, which often includes controlling what external se... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.