Advise Personnel on Mobile Communication Sensitivity
Personnel are informed about what levels of classified communication are allowed on mobile devices.
Plain language
When using mobile devices, it's important to know what sensitive information is okay to discuss or send. If you don't set boundaries, there's a higher risk of leaking important data, which could result in legal troubles, loss of trust, or even financial damage.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2018
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices.
Why it matters
Without clear guidance on mobile communication sensitivity, confidential data may be shared over mobile channels, causing exposure and breaches.
Operational notes
Regularly brief personnel on permitted voice/data classifications on mobiles, refresh guidance after policy changes, and confirm understanding to prevent leaks.
Implementation tips
- Managers should define which types of sensitive information can be communicated over mobile devices. To do this, they should work with their IT team to outline information categories based on sensitivity and decide if it's okay to discuss them over the phone or send via messaging apps.
- The IT team should implement a training session for all personnel. This session should clearly explain what levels of communication are appropriate for mobile use, providing examples and ensuring everyone understands how to apply these rules in real life.
- HR should include guidelines on mobile communication in the employee induction programme. New employees should be made aware of what information is considered sensitive and the appropriate channels for sharing it.
- System owners should regularly review and update the mobile communication policies. This involves checking current technology capabilities and threats to ensure the guidelines are still relevant and effective.
- The security officer should monitor and assess compliance with these guidelines. They can do this by conducting random checks or surveys asking personnel about their knowledge and application of the rules.
Audit / evidence tips
-
Askthe mobile communications policy document
GoodClear classifications and explicit instructions on use for phone calls, emails, and apps
-
GoodComprehensive records showing all current staff have attended within the past year
-
Askto see the induction checklist for new employees: Examine the sections detailing mobile communication guidelines
GoodInclusion of up-to-date rules clearly explained in the checklist
-
GoodRegular, at least annual, reviews and adjustments reflecting any new risks or technologies
-
Askthe results of compliance checks or surveys: Evaluate the feedback collected on personnel's understanding and adherence
GoodPositive results indicating strong awareness and compliance, with action plans for any gaps
Cross-framework mappings
How ISM-1083 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.10 | Annex A 5.10 requires organisations to document and implement acceptable use rules and handling procedures for information and assets | |
| link Related (2) expand_less | ||
| Annex A 5.12 | Annex A 5.12 requires information to be classified so handling and communication align with its security needs and stakeholder requirements | |
| Annex A 6.3 | Annex A 6.3 requires role-appropriate awareness and regular updates to information security policy and topic-specific procedures | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.