Transporting Mobile Devices Securely
If you can't secure a mobile device, it must be carried in a security bag or similar for safe transport.
Plain language
This control is all about making sure our mobile devices, like phones and tablets, are kept safe when we move them around, especially if they're not already secured by a passcode or other means. If they're not properly guarded, they have to be carried in a special security bag. This matters because if a device is lost or stolen, sensitive information could fall into the wrong hands, leading to privacy breaches or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device usageOfficial control statement
If unable to carry or store mobile devices in a secured state, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag.
Why it matters
If mobile devices are transported without an approved security bag, they may be lost or stolen, enabling access to sensitive data and system accounts.
Operational notes
When devices cannot be carried or stored securely, transport them only in an approved security briefcase, satchel, pouch or transit bag and keep them attended.
Implementation tips
- Employees responsible for handling sensitive information should ensure that all mobile devices are locked with a passcode or equivalent security measure before transport. This could involve setting up a device password or implementing biometric security, like fingerprint recognition.
-
Look atapproved security bags designed to limit access and visibly show signs of tampering
- IT teams should conduct training sessions for all staff on secure transportation practices for mobile devices. This includes demonstrating how to use security pouches and reminding employees about the importance of these measures.
- Procurement departments should include security storage options in their purchasing requirements for mobile devices. This means only buying devices with security-compatible accessories or having pre-approved security bags that are readily available for staff use.
- Supervisors should regularly remind staff to use designated security pouches when transporting devices by incorporating this into team meetings or regular communications. Quarterly check-ins can help reinforce the policy and identify any challenges in compliance.
Audit / evidence tips
-
Asktraining materials on secure mobile device transport
Goodis a comprehensive guide that includes steps for securing and carrying devices
-
Aska list of approved security bags available to staff
Goodwill show that bags are tamper-evident and securely lockable
-
Aska record of security bag distribution to employees. Look to see if each device case assignment is documented with names and dates
Goodis a log showing regular, consistent provision and use of security bags
-
Askto see any incident reports involving lost or stolen mobile devices
Goodwill show that incidents are low and involve proper use of security bags
-
Askfeedback collection from employees about the use of security bags
Goodincludes actionable insights that lead to better usage practices
Cross-framework mappings
How ISM-1084 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 7.10 | ISM-1084 requires that when mobile devices cannot be carried or stored in a secured state, they must be physically transported using a se... | |
| Annex A 8.1 | ISM-1084 addresses physical protection during transport by mandating approved security bags when a mobile device cannot otherwise be secured | |
| handshake Supports (1) expand_less | ||
| Annex A 6.7 | ISM-1084 requires secure physical transport of mobile devices using approved security bags when the devices cannot be otherwise secured | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.