Develop and Maintain Mobile Device Usage Policy
Ensure a policy is in place to guide how mobile devices are used in the organisation.
Plain language
This control is about having a clear policy for how mobile devices are used in your organisation. Imagine if your staff could just use their phones to access company data without any rules - it could lead to security risks if a device is lost or stolen. A proper policy helps protect sensitive information and ensures everyone knows what's allowed and what's not.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device usageOfficial control statement
A mobile device usage policy is developed, implemented and maintained.
Why it matters
Without a mobile device usage policy, unmanaged BYOD and app use can expose sensitive data via loss/theft, insecure apps, or unauthorised access.
Operational notes
Review the mobile device usage policy at least annually; cover BYOD eligibility, MDM enrolment, app allow/deny lists, encryption, lock screens and reporting lost devices.
Implementation tips
- The management team should draft the mobile device usage policy to set the rules for using phones and tablets at work. Start by deciding what types of data employees can access from their devices and how they should protect it. Involve your IT team to cover technical requirements like passwords and software updates.
- IT staff should ensure all mobile devices accessing company data have security measures like encryption and regular updates. This can be done by setting up a central management tool to enforce these protections automatically. Regular checks should be scheduled to verify compliance.
- HR should include the new mobile device policy in onboarding sessions. New hires need clear guidance, so explain the policy during their first week and ensure they sign off to confirm understanding. This approach establishes expectations early.
- Managers should periodically remind their teams about the mobile device policy, especially when changes are made. Set up brief reminders in team meetings or via email whenever there's an update to ensure everyone remains informed.
- The IT department should conduct quarterly reviews of the mobile device usage policy to ensure it remains relevant. This involves checking for new security threats or changes in technology that might require updates. Collaborate with management to approve any necessary revisions.
Audit / evidence tips
- AskThe mobile device usage policy document: Request a copy of the official policy that governs mobile device use in the organisation. Look to see if it covers areas like permitted apps, data protection measures, and device management procedures GoodIs a comprehensive document with clear, concise guidelines that address security and usage expectations
- AskRecords of policy communication: Request evidence such as emails or meeting minutes showing how the policy has been communicated to staff GoodIncludes both initial distribution and any updates communicated to all relevant staff
- AskRecords of onboarding sessions: Request documentation or presentations used in onboarding that include the mobile device policy section GoodOutcome is having these records indicate consistent delivery of the policy to new team members
- AskTo see the mobile device management dashboard: Request a demonstration of the system that enforces security measures on mobile devices GoodSystem shows active management and compliance with the policy
- AskThe last policy review report: Request the most recent evaluation of the mobile device usage policy GoodIs a consistently reviewed policy with updates made based on current threats and organisational needs
Cross-framework mappings
How ISM-1082 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.1 | ISM-1082 requires the organisation to develop, implement and maintain a mobile device usage policy that governs how mobile devices are used | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.