ISM-1195 ASD Information Security Manual (ISM)

Enforce Policy with Evaluated Mobile Device Management

Use certified management solutions to ensure mobile devices follow security policies.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security Manual Governance User devices Management responsibility

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Aug 2023

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for enterprise mobility

Section

Mobile device management

Topic

Mobile Device Management Policy

Official control statement

Mobile Device Management solutions that have completed a Common Criteria evaluation against the Protection Profile for Mobile Device Management, version 4.0 or later, are used to enforce mobile device management policy.

Source: ASD Information Security Manual (ISM)

Plain language

This control ensures that mobile devices, like phones and tablets used for work, are managed by trustworthy software that follows strict Australian standards for security. If this isn't done, sensitive business information could be at risk if, for example, a device is lost or hacked.

Why it matters

Without a Common Criteria evaluated MDM (PP v4.0+), policy enforcement may fail, increasing loss or compromise risks from stolen or unmanaged mobile devices.

Operational notes

Confirm the MDM product remains Common Criteria evaluated against the MDM PP v4.0+ and enforce enrolment, compliance checks and remote wipe for all managed mobile devices.

Implementation tips

The IT manager should select a Mobile Device Management (MDM) solution that meets the Australian Common Criteria for security. This involves researching and selecting from certified solutions that comply with the latest version of the Protection Profile for MDM systems.
IT staff must enrol all company mobile devices into the chosen MDM system. They can do this by following the setup guide provided by the MDM vendor, which typically includes installing an app on each device and configuring settings through a central console.
The IT team should regularly update the MDM system to ensure it includes the latest security patches and policy updates. This can be done by setting up automatic updates in the MDM software or scheduling regular manual checks.
Management should conduct training sessions for all employees on the importance of MDM policies. This can be achieved by organising workshops where the IT team explains how devices are managed and why it's crucial for security.
HR should coordinate with IT to ensure that new employees have their mobile devices set up with the MDM solution as part of their onboarding process. This involves creating a checklist that includes MDM enrolment as a mandatory step.

Audit / evidence tips

Ask: the MDM certification documentation: Request the certification papers that prove the MDM solution meets the Australian Common Criteria

Good: is documents that are current and clearly state compliance with the relevant standards
Ask: to see the list of all enrolled devices: Request a report that lists all mobile devices currently managed by the MDM

Good: all business devices are listed, with enrolment dates and last check-in times
Ask: security policy compliance reports from the MDM: Request regular reports generated by the MDM showing policy compliance status

Good: reports that show consistent policy adherence across devices, with alerts for non-compliance being promptly addressed
Ask: records of MDM updates: Request logs or change records showing when the MDM system was last updated

Good: shows regular update patterns aligned with vendor release cycles, indicating active maintenance
Ask: to observe a device being set up: Request a demonstration of the MDM enrolment process for a new device

Good: a clear step-by-step process that includes device recognition by the MDM and confirmation of policy application

Cross-framework mappings

How ISM-1195 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Supports (2)
Annex A 5.19	ISM-1195 requires the use of a specifically evaluated MDM product to enforce mobile device management policy, which is a product assuranc...
Annex A 5.21	ISM-1195 requires organisations to enforce mobile device policy using an MDM solution that has passed a Common Criteria evaluation agains...
Depends on (1)
Annex A 5.1	ISM-1195 requires a defined mobile device management policy and mandates that it is enforced using an evaluated MDM solution
Related (1)
Annex A 8.1	Annex A 8.1 requires protection of information on user endpoint devices, which commonly relies on consistent configuration and policy enf...