Keep Mobile Devices Undiscoverable via Bluetooth
Bluetooth on mobile devices is only discoverable during pairing to protect sensitive information.
Plain language
This control means making sure your mobile device is hidden from other people's Bluetooth connections unless you're actively trying to pair it with something, like headphones or a car. It's important because, if left visible, someone nearby might connect to your device without you knowing, potentially accessing or stealing your personal data.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device usageOfficial control statement
Non-classified, OFFICIAL: Sensitive and PROTECTED mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing.
Why it matters
Exposing Bluetooth on devices can lead to unauthorised connections, risking sensitive data leakage or device control by malicious actors.
Operational notes
Regularly confirm Bluetooth remains undiscoverable except during pairing, particularly after OS updates, profile changes or device resets.
Implementation tips
- The IT team should ensure Bluetooth settings for all employees' mobile devices are properly configured. This can be done by providing standard directions on how to adjust Bluetooth settings so devices are not discoverable unless pairing. Implement these instructions as a checklist during device setup or updates.
- Staff members need to be informed about the importance of keeping their Bluetooth settings set to 'hidden' unless actively pairing a device. Hold a quick, engaging presentation to explain why, using simple examples, and demonstrate how to check their device settings.
- Procurement officers should consider Bluetooth invisibility when selecting mobile devices for the organisation. Ensure they verify with suppliers that devices can be set to remain undiscoverable by default. They should request a demonstration or documentation from the supplier that confirms this feature.
- The IT support team should schedule regular audits of device settings. Use a remote management tool that can verify Bluetooth discoverability settings across the organisation. Conduct these audits quarterly and document findings.
- Managers should encourage a culture of security by including Bluetooth privacy tips in the monthly newsletter. Provide a simple 'how-to' guide for making devices undiscoverable and include success stories to highlight compliance improvements within the team.
Audit / evidence tips
- AskA report on device configuration: Request a list that shows the Bluetooth settings status of all mobile devices in the organisation GoodIs a majority compliance rate with remediation plans for non-compliant devices
- AskThe training materials: Review the presentation or guide used to educate staff about Bluetooth settings GoodWill have comprehensive, easy-to-understand materials with evidence of distribution, like attendance records or email logs
- AskA procurement criteria list: Request the document that outlines what features are necessary when buying new mobile devices. Check if Bluetooth configuration capabilities are listed as a requirement GoodShows specific mention of Bluetooth discoverability settings, ensuring it can be configured as needed for security
- AskA recent audit report: See the documentation from recent checks of Bluetooth settings across devices. Confirm the discovery of any issues and note the fixes which were implemented GoodOutcome includes a high compliance rate and detailed plans for addressing any problems found
- AskA survey or feedback summary: Request a summary of staff feedback or surveys about Bluetooth practices. Look into the feedback to ensure they understand and apply the proper settings GoodIs positive feedback or plans to address misunderstandings, demonstrating continuous improvement
Cross-framework mappings
How ISM-1196 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1196 mandates a specific security configuration state for mobile devices: Bluetooth must be undiscoverable except during pairing | |
| link Related (1) expand_less | ||
| Annex A 8.1 | Annex A 8.1 requires protection of information accessible via user endpoint devices, including mobiles and tablets | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.