Advise Personnel on Overseas Mobile Device Security
Inform staff about privacy and security risks when taking mobile devices abroad.
Plain language
Taking your mobile device overseas can expose it to privacy and security risks, such as data theft or hacking. This control is about ensuring staff understand these risks and know how to protect their devices and the information on them when they travel. If not managed properly, sensitive data could be stolen, leading to financial loss or damage to the organisation's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Sept 2019
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device usageOfficial control statement
Personnel are advised of privacy and security risks when travelling overseas with mobile devices.
Why it matters
If staff are not advised, overseas travel with mobiles can cause compromise, data loss, fraud costs and reputational harm.
Operational notes
Brief travellers on overseas mobile risks: border searches, hostile Wi‑Fi/charging, local laws, and how to reduce data on devices.
Implementation tips
- HR should provide a training session for all staff members who travel overseas. This training should cover potential security threats, ways devices can be hacked, and methods to protect them, like using strong passwords and avoiding public Wi-Fi networks.
- IT teams need to prepare a 'travel kit' for mobile devices. This could include installing security apps, configuring devices with remote wipe capability, and ensuring that encryption is enabled. They should also inform staff about using virtual private networks (VPNs) to secure connections.
- Managers should remind their travelling staff to conduct pre-trip security checks on their mobile devices. This involves updating the device software, backing up important data, and reviewing what sensitive information is stored on the device.
- The organisation's security officer must develop clear policies for mobile usage abroad that align with guidance from the Australian Cyber Security Centre (ACSC). This includes advising against connecting to unknown networks and guidelines for reporting lost or stolen devices.
- Procurement teams should ensure that all company-issued mobile devices are purchased with robust built-in security features. This serves as the first line of defence against potential breaches while these devices are abroad.
Audit / evidence tips
-
Askevidence of staff training sessions on mobile security
Goodshows comprehensive training that was attended by all relevant staff before overseas travel
-
Goodwill align guidelines with current ACSC recommendations
-
Askrecords of pre-travel device checks
Goodshows a systematic approach with documented procedures followed before each trip
-
Goodprovides a detailed inventory, ensuring all devices have security features enabled
-
Askincident reports for any lost or stolen devices while overseas
Goodincludes prompt reporting and follow-up actions to secure data
Cross-framework mappings
How ISM-1298 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 6.3 | ISM-1298 requires that personnel are advised of privacy and security risks when travelling overseas with mobile devices | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.