Secure Bluetooth Pairing for Mobile Devices
Ensure Bluetooth connections for devices are only made with intended, authorised equipment.
Plain language
When you pair your mobile devices with Bluetooth, it's like making a new friend online. You want to be sure the person is who they say they are. If you're not careful, someone else could trick you into sharing things with them, putting your business and sensitive information at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device usageOfficial control statement
Bluetooth pairing for non-classified, OFFICIAL: Sensitive and PROTECTED mobile devices is performed in a manner such that connections are only made between intended Bluetooth devices.
Why it matters
If Bluetooth pairing isn’t secured, unintended devices may connect to mobile devices, enabling eavesdropping or data access and causing disruption.
Operational notes
Regularly review paired devices, remove unknown pairings, and keep Bluetooth off when not required to prevent connections to unintended devices.
Implementation tips
- IT team should ensure Bluetooth is only turned on when needed: Before connecting any device, double-check that the other device's identity matches what you expect by checking the name and asking the user to confirm their device is trying to connect.
- Managers should provide staff training on recognising authorised devices: Explain to employees which devices are trusted and how to verify them, such as checking device names and pairing requests carefully.
- Procurement should maintain an inventory of authorised Bluetooth devices: Keep an up-to-date list of devices that are authorised to connect via Bluetooth, ensuring all devices in use are listed and checked regularly.
- System owners should password-protect Bluetooth settings: Set up Bluetooth devices with security codes or PINs and instruct users to keep these codes private, ensuring only authorised devices can complete the pairing.
- HR should update device usage policies: Include guidelines on Bluetooth usage in company policy, explaining the importance of accepting connections only from known devices and reporting any suspicious attempts.
Audit / evidence tips
-
Aska list of paired devices: Request a report of all devices that have been paired with company-owned devices through Bluetooth
Goodlist will have only known and approved devices without unexplained or unknown entries
-
Askstaff training records on device security: Request documentation showing when and how staff were trained on recognising and pairing with authorised Bluetooth devices
Goodrecord includes recent training for all relevant staff with clear, practical instructions
-
Askto see the device inventory: Request the latest inventory list of authorised Bluetooth devices
-
Askpolicy documents on Bluetooth security: Request the company's policy on Bluetooth usage and security
-
Asksystem logs of Bluetooth activity: Request system logs or reports showing Bluetooth connection attempts
Goodrecord indicates recent reviews and actions taken when unauthorised connection attempts are detected
Cross-framework mappings
How ISM-1198 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.1 | ISM-1198 requires Bluetooth pairing on non-classified, OFFICIAL: Sensitive and PROTECTED mobile devices to be performed so connections ar... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.