Separation of Work and Personal Online Accounts
Keep separate accounts for work and personal use online to enhance security.
Plain language
This control is about keeping your work accounts and personal accounts separate online. Imagine if you accidentally posted work information on your personal social media - this could lead to sensitive data being exposed to the wrong people. By using different accounts for work and personal use, you're less likely to mix them up, which helps keep your work information safe.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Personnel are advised to maintain separate work and personal user accounts for online services.
Why it matters
Mixing work and personal online accounts increases the risk of data leaks or unauthorised access to sensitive information, jeopardising organisational security.
Operational notes
Document approved work accounts and require separate personal logins; periodically review usage and provide guidance to staff.
Implementation tips
- Managers should instruct employees to create separate accounts for work and personal purposes. This can be done by sending out a clear email explaining why separate accounts are important and how to set them up. Encourage them to avoid overlapping usernames and passwords between the two types of accounts.
- IT teams should ensure that organisational software and platforms only allow access through work-specific accounts. They can achieve this by setting up account controls that prevent login using personal email addresses or other non-work related credentials.
- HR should incorporate training on this policy into the onboarding process. New employees should be instructed on how to set up and use separate accounts for accessing work-related systems, with real examples of the risks involved with sharing accounts.
- Supervisors should regularly remind their team about the importance of keeping accounts separate. They can do this by holding brief check-in meetings or sending periodic reminders through internal newsletters, highlighting any potential security incidents stemming from account mixing.
- Cyber security teams should conduct awareness sessions on the benefits of maintaining separate accounts. These sessions could include guest speakers or case studies of breaches caused by account mishaps and provide easy-to-follow steps for managing digital identities.
Audit / evidence tips
- AskRecords of employee training sessions on maintaining separate accounts
- GoodShows specific work accounts being used and proper restrictions on personal accounts concerning organisational systems
- AskDocumentation on onboarding procedures related to account management GoodDocument includes specific training modules or topics that focus on this control
- GoodIncludes frequent and clear communication stressing the importance and methods of maintaining separate accounts
Cross-framework mappings
How ISM-1146 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.10 | ISM-1146 advises personnel to keep separate work and personal online accounts to reduce cross-contamination and account compromise risks | |
| handshake Supports (1) expand_less | ||
| Annex A 6.3 | ISM-1146 advises personnel to maintain separate work and personal online accounts for online services | |
| link Related (1) expand_less | ||
| Annex A 6.7 | Annex A 6.7 requires security measures for personnel working remotely to protect organisational information accessed or processed offsite | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.