Encrypting Storage on Mobile Devices
Ensure all mobile device storage and removable media are encrypted for security.
Plain language
This control is about ensuring that all the data on your mobile devices and any additional storage devices, like USB sticks, are safely locked up so no one can get to it without your permission. This is important because if your phone or a USB drive gets lost or stolen and the data isn't encrypted, anyone could see your personal information or sensitive business data, which could lead to fraud or a breach of privacy.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Mobile devices encrypt their internal storage and any removable media.
Why it matters
If a mobile device is lost or stolen without storage encryption, data on internal or removable media can be accessed, leading to privacy breaches and corporate espionage.
Operational notes
Verify full-disk encryption is enabled for internal storage and any SD cards, and re-check encryption status after OS updates, MDM policy changes or re-enrolment.
Implementation tips
- The IT team should enable encryption on all mobile devices: They should access the settings on every mobile device and turn on the encryption function. This typically involves setting a secure password and enabling a feature that scrambles the data on the device so it can't be read by others.
- Office managers should send a reminder to staff: Staff should receive a regular reminder to ensure their own devices used for work purposes have encryption enabled. This could be in the form of an email explaining how to check device settings for encryption and why it matters.
- Procurement staff should ensure any new devices are pre-configured with encryption: When purchasing mobile devices, procurement can specify that devices come with encryption enabled. This can often be arranged with suppliers and ensures every device is secure right from the start.
- System administrators need to provide training on encrypted storage: Organise a brief training session for all employees to explain how encryption works, why it's important, and how to check if their devices are encrypted. This training could be done during a lunch meeting or a dedicated IT training day.
- Managers should regularly review compliance: Managers should periodically check in with their teams to verify that encryption is enabled on all mobile and storage devices. This could involve a checklist or a quick monthly meeting to confirm compliance.
Audit / evidence tips
- AskThe encryption configuration report: Request a report that lists all mobile devices and their encryption status GoodOutcome is a comprehensive list where every device is shown as securely encrypted
- AskTo see device configuration settings: Request to see the encryption settings on a sample of devices GoodIs devices showing encryption enabled and passcodes actively in use
- GoodOutcome shows most or all staff have been trained on this topic
- AskProcurement procedures documents: Request documentation that outlines procurement steps for buying encrypted devices GoodDocument clearly mandates encryption in new purchases
- GoodRecord shows consistent reviews with documented outcomes
Cross-framework mappings
How ISM-0869 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.24 | ISM-0869 involves encrypting storage on mobile devices, a specific application of cryptography | |
| link Related (1) expand_less | ||
| Annex A 8.1 | Annex A 8.1 requires protection of information stored on and accessible via user endpoint devices | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.