Secure Storage and Handling of Mobile Devices
Ensure mobile devices are secure when not in use to prevent unauthorized access.
Plain language
Keeping mobile devices like smartphones and tablets secure when they are not in use is crucial to prevent strangers from accessing sensitive information. If not managed, someone could easily pick up an unattended device and steal important data, leading to potential financial loss or privacy breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Mar 2019
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device usageOfficial control statement
Mobile devices are carried or stored in a secured state when not being actively used.
Why it matters
Unsecured mobile devices can be lost or stolen, enabling unauthorised access to corporate apps/data and causing privacy breaches and financial loss.
Operational notes
Confirm devices auto-lock quickly, require PIN/biometric, and are stored in locked cabinets or secured with cable locks when not in active use.
Implementation tips
- Managers should establish a policy for the secure storage of mobile devices. They can instruct employees to always use password locks and keep devices in locked drawers or cabinets when not in use. Providing guidelines on locking screens automatically after a short period of inactivity is also helpful.
- Business owners should ensure that all employees are aware of the risks of leaving devices unattended. Conduct a short training session to demonstrate practical examples of secure device storage and have employees sign a form acknowledging their understanding.
- IT teams should implement a remote management tool that can lock or wipe data from lost or stolen devices. They can choose a reliable software solution that supports remote control features and educate users on how these features protect data.
- Office managers should perform regular checks to ensure devices are being stored securely outside of office hours. Create a checklist for closing procedures that includes securing all mobile devices and verify each task is completed nightly.
- Procurement teams should standardise the type of mobile devices issued to employees. They should purchase devices with built-in security features, such as biometric locks (fingerprint or facial recognition), to make securing them more intuitive and reliable.
Audit / evidence tips
-
Askthe mobile device security policy document: Verify that a clear policy exists outlining secure storage requirements for devices when not in use
Goodis a policy with clear instructions and examples of secure practices
-
Askto see the employee training attendance records
-
Askdocumentation on remote management tools: Request reports or screen captures showing remote lock or data wipe capabilities. Look if these features are actively used. Good evidence is a report proving regular testing and readiness to use these features
-
Askto observe the office closing procedure: Watch how staff secure mobile devices at the end of the day. Look whether they follow the checklist and secure devices as described in policies. Good evidence is staff routinely storing devices securely with no exceptions
-
Askprocurement records on issued devices: Check that devices with recommended security features are provided to employees
Cross-framework mappings
How ISM-0870 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 7.7 | ISM-0870 requires mobile devices to be carried or stored in a secured state when not being actively used to reduce the risk of unauthoris... | |
| Annex A 7.8 | ISM-0870 requires mobile devices to be carried or stored in a secured state when not being actively used to prevent unauthorised access | |
| handshake Supports (2) expand_less | ||
| Annex A 5.10 | ISM-0870 requires that mobile devices are carried or stored in a secured state when not being actively used, setting an operational secur... | |
| Annex A 8.3 | ISM-0870 requires mobile devices to be carried or stored in a secured state when not being actively used to prevent unauthorised access | |
| link Related (1) expand_less | ||
| Annex A 8.1 | Annex A 8.1 requires organisations to protect information stored on or accessible via endpoint devices | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.