Supervise Mobile Devices During Active Use
Ensure mobile devices are watched carefully whenever they are in use to avoid loss or theft.
Plain language
Whenever you're using your phone or tablet, you need to keep an eye on it. If you don't, someone might take it or you might misplace it. This matters because if someone else gets your device, they could access sensitive information or use it inappropriately.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Mar 2019
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device usageOfficial control statement
Mobile devices are kept under continual direct supervision when being actively used.
Why it matters
Unsupervised mobile devices can be stolen or accessed by others during use, exposing sensitive data and causing breaches and reputational harm.
Operational notes
Train users to keep mobile devices in hand or in sight during active use, and never leave them unattended in public areas or shared spaces.
Implementation tips
- Managers should remind employees to always keep their mobile devices in sight when using them. This can be done during team meetings or through an email to staff, explaining why it's important for both personal safety and data security.
- The IT team should implement software that alerts users if their screen isn't being watched, like requiring regular user confirmations. They can configure devices to lock automatically if they're not actively used for a predefined period.
- Office administrators should arrange for secure storage options, such as lockers, for employees to use when they're stepping away from their workstations. They can coordinate with facilities management to ensure there's enough space and that employees know how to access it.
- HR should include mobile device supervision guidelines in onboarding training. This could involve a session or a tutorial where new employees learn about the potential risks of leaving devices unattended.
- Security teams should conduct regular spot checks to see how well employees are following device supervision guidelines. They can walk through areas where mobile devices are used and provide feedback or corrective action if necessary.
Audit / evidence tips
-
Askthe employee handbook or training materials: Request sections that cover mobile device supervision
Goodis a detailed description with clear instructions and examples of acceptable and unacceptable behaviour
-
Askto see system logs or reports from device management software: Request records showing device usage and locking
Goodshows a log with regular timestamps of device locks matching policy
-
Askto observe a security spot check plan: Request the schedule or report from spot checks. Look to see how often checks are done and how compliance is evaluated
Goodincludes a regular plan with feedback processes documented
-
Askcommunication records regarding device supervision: Request emails or meeting notes sent to staff
Goodshows periodic reminders, ideally with examples like screen captures of the messages
-
Aska list of security incidents involving mobile devices: Request incident logs related to unattended devices
Goodlogs each incident with details, actions, and resolutions
Cross-framework mappings
How ISM-0871 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.1 | ISM-0871 requires mobile devices to be kept under continual direct supervision when they are being actively used to reduce loss or theft | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.8 | ISM-0871 requires mobile devices to be kept under continual direct supervision when they are being actively used to prevent loss or theft | |
| handshake Supports (1) expand_less | ||
| Annex A 6.7 | ISM-0871 requires mobile devices to be kept under continual direct supervision when they are being actively used to reduce loss or theft | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.