Personnel Awareness for Secure Mobile Device Usage
This guideline advises on secure mobile device use to prevent data theft or compromise.
Plain language
These guidelines are about using your phone and other mobile devices safely to protect important data. If you don't follow them, you could accidentally let someone steal sensitive information or even allow harmful software onto your device, which can lead to major problems like identity theft or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Personnel are advised to take the following precautions when using mobile devices: - never leave mobile devices or removable media unattended, including by placing them in checked-in luggage or leaving them in hotel safes - never store credentials with mobile devices that they grant access to, such as in laptop computer bags - never lend mobile devices or removable media to untrusted people, even if briefly - never allow untrusted people to connect their mobile devices or removable media to your mobile devices, including for charging - never connect mobile devices to designated charging stations or wall outlet charging ports - never use gifted or unauthorised peripherals, chargers or removable media with mobile devices - never use removable media for data transfers or backups that have not been checked for malicious code beforehand - avoid reuse of removable media once used with other parties' systems or mobile devices - avoid connecting mobile devices to open or untrusted Wi-Fi networks - consider disabling any communications capabilities of mobile devices when not in use, such as Wi-Fi, Bluetooth, Near Field Communication and ultra-wideband - consider periodically rebooting mobile devices - consider using a VPN connection to encrypt all cellular and wireless communications - consider using encrypted email or messaging apps for all communications.
Why it matters
If personnel ignore safe mobile practices (untrusted charging, Wi‑Fi, peripherals or media), devices can be compromised, causing data theft and incidents.
Operational notes
Reinforce do’s/don’ts: don’t leave devices unattended, avoid open Wi‑Fi, block unknown charging/media, and remind staff to disable radios and use VPN/encrypted apps.
Implementation tips
- Managers should ensure that all staff are aware of the importance of not leaving mobile devices unattended. They can do this by organising a meeting or sending an email that highlights the risks of theft or unauthorised access if devices are left in places like hotel safes or checked-in luggage.
- IT teams should set up a policy that prevents staff from storing passwords or login details together with their mobile devices. This can be implemented through training sessions that demonstrate safe storage practices, such as using password managers.
- Human Resources departments should provide training sessions to teach employees about the dangers of lending their mobile devices or media to untrusted people, even if only for a short time. These sessions can include examples of real-world consequences and ways to politely refuse if asked.
- Security teams should advise employees never to connect their mobile devices to unknown charging stations or use cables given by people they don't trust. During staff briefings, show how to recognise legitimate vs. suspicious charging set-ups and recommend carrying a personal charger.
- Staff in charge of purchasing should ensure that only authorised peripherals and removable media are used with company devices. They can do this by maintaining an approved list of equipment and conducting regular checks to ensure compliance.
Audit / evidence tips
-
Aska record of security training sessions provided to staff about mobile device usage
-
Gooddocument will have clear guidelines and examples
-
Askdocumented procedures on how staff should store credentials separately from devices. Review the process steps and security arrangements recommended. A well-written document will explain safe practices and offer solutions like password managers
-
Askto see the checklist used when authorising new peripherals or cables for use with company devices
Goodchecklist will document tested and approved items, avoiding any unauthorised use
Cross-framework mappings
How ISM-1299 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (4) expand_less | ||
| Annex A 7.7 | ISM-1299 advises personnel on practical precautions for secure mobile device use, including never leaving devices or removable media unat... | |
| Annex A 7.10 | ISM-1299 instructs personnel to handle mobile devices and removable media securely (e.g | |
| Annex A 8.7 | ISM-1299 provides user precautions that reduce malware introduction on mobile devices, such as not using gifted/unauthorised peripherals,... | |
| Annex A 8.12 | ISM-1299 aims to prevent theft, unauthorised access, and interception of information on mobile devices by discouraging risky behaviours (e.g | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.