Ensure Mobile Devices Encrypt Data Communications
Mobile devices must use encryption when sending sensitive data over public networks.
Plain language
With this control, we ensure that all sensitive data sent from mobile devices is encrypted when using public networks, like a café's Wi-Fi. This is important because if data isn't protected, hackers might intercept and steal confidential information, leading to serious problems such as identity theft or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device managementTopic
Data CommunicationsOfficial control statement
Mobile devices encrypt all sensitive or classified data communicated over public network infrastructure.
Why it matters
If mobile traffic isn’t encrypted on public networks, attackers can intercept sensitive or classified data, causing breaches and reputational damage.
Operational notes
Verify all mobiles use encrypted tunnels (e.g., VPN/TLS) on public networks; routinely test and update crypto settings, especially on public Wi‑Fi.
Implementation tips
- IT team should ensure all mobile devices in the organisation are configured to use encryption when connecting to public networks. This can be done by installing trusted virtual private network (VPN) software on all devices, which encrypts data sent and received.
- System owners must require employees to use secure applications that automatically encrypt sensitive data. This means promoting apps with built-in encryption features approved by the Australian Cyber Security Centre (ACSC).
- Managers should educate staff about the risks of using public networks without encryption. Arrange periodic training sessions to show employees how to check encryption settings on their mobile devices before accessing public Wi-Fi.
- Procurement teams should acquire mobile devices that have robust security features, including the ability to encrypt data communications. When buying devices, ensure they meet government security guidelines such as those from ASD (Australian Signals Directorate).
- HR should implement a policy requiring staff to confirm their mobile devices use encryption when working remotely. This policy should be included in the onboarding process and regularly reviewed to ensure compliance.
Audit / evidence tips
- AskThe list of approved VPN solutions: Request documentation showing which VPN tools are authorised for use. Look to ensure each listed VPN applies strong encryption standards GoodIncludes several options with detailed encryption specifications and user guidelines
- AskTo see the user training records: Obtain records of training sessions on mobile device security GoodHas comprehensive records showing regular training with positive participant feedback
- GoodIncludes devices sourced from reputable vendors with encryption features highlighted
- AskThe employee policy document: Request to see the policy that mandates encryption use on mobile devices GoodIncludes clear instructions and an enforcement procedure
- AskA demonstration of encryption settings: Request someone from IT to show a live demonstration of an encrypted data transmission using a mobile device GoodShows encryption activated easily and demonstrably on actual devices
Cross-framework mappings
How ISM-1085 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1085 requires mobile devices to encrypt sensitive or classified data when communicating over public network infrastructure | |
| handshake Supports (2) expand_less | ||
| Annex A 8.12 | ISM-1085 requires mobile devices to encrypt sensitive or classified data when communicated over public network infrastructure to reduce e... | |
| Annex A 8.20 | ISM-1085 requires mobile devices to encrypt sensitive or classified data when it is communicated over public network infrastructure | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.