Continuous System Security Monitoring and Threat Management
System owners must always check their systems for security threats and handle risks effectively.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Proactive
🔐 Classifications
OS, P
🗓️ ISM last updated
Mar 2026
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Personnel using privately-owned mobile devices or desktop computers to access OFFICIAL: Sensitive or PROTECTED systems or data have enforced separation of classified data and personal data.
Source: ASD Information Security Manual (ISM)
Plain language
System owners need to regularly check and manage the security of their systems. This is important because ignoring potential threats can lead to data breaches, financial loss, or damage to your reputation.
Why it matters
If not monitored, systems can become vulnerable to breaches, potentially resulting in financial loss and loss of client trust.
Operational notes
Regularly updating security protocols and keeping communication open across teams ensures ongoing system protection and threat readiness.
Implementation tips
- Company IT staff should install a specific software that separates work and personal data on employee-owned devices. They can do this by using tools that create a virtual separate space for work tasks, which helps in maintaining a clear boundary between the two types of data.
- Managers should work with the IT team to ensure all employees using personal devices for work have signed a data separation agreement. This involves clarifying the expectations and responsibilities for maintaining data separation and informing them clearly about the risks of mixing data.
- The IT department should regularly update the security settings on the work data spaces within personal devices. This can be done by scheduling automatic updates and security patches to ensure the separate work environment is always protected against new security threats.
- HR should include training sessions on the importance of data separation for all staff using personal devices for work. This can be achieved by holding workshops or distributing easy-to-understand guides on how to maintain secure work and personal data environments.
- System owners should ensure that all work-related applications are accessed through dedicated apps or secure browsers provided by the company. This involves instructing users to avoid using personal browsers or apps for work to reduce the chances of data breaches.
Audit / evidence tips
-
Ask: the list of all employees using personal devices for work: Request a documented list showing which employees are provided access to work systems on personal devices
Good: A regularly updated list with dates of access approvals and revocation records
-
Good: A detailed policy with specific instructions and measures to verify compliance
-
Ask: a sample of training records: Request to see records of any training sessions or materials provided to staff about data separation
Good: Documented proof of regular training sessions with high participation and relevant materials distributed
-
Ask: the IT team to show how personal and work data are kept separate on a sample device
Good: A clear demonstration where accessed data stays within its designated boundary
-
Ask: audit logs from the device management system: Request logs that show how often the data separation is checked or challenged
Good: Regular logs with no recent breaches and interval checks documented
Cross-framework mappings
How ISM-1400 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 7.9 | ISM-1400 requires enforced separation of OFFICIAL: Sensitive or PROTECTED work data from personal data on privately-owned devices used to... | |
| Annex A 8.1 | ISM-1400 requires organisations to enforce separation of classified work data from personal data on privately-owned endpoint devices used... | |
| Partially overlaps (1) | ||
| Annex A 6.7 | ISM-1400 requires enforced separation of classified data and personal data when personnel use privately-owned devices to access sensitive... | |
| Supports (2) | ||
| Annex A 5.10 | ISM-1400 requires enforced separation of OFFICIAL: Sensitive or PROTECTED work data from personal data on privately-owned devices | |
| Annex A 8.12 | ISM-1400 requires organisations to keep classified work data separate from personal data on privately-owned devices accessing sensitive s... | |
E8
| Control | Notes | Details |
|---|---|---|
| Supports (4) | ||
| E8-RA-ML1.5 | ISM-1400 requires enforced separation of classified data and personal data on privately-owned devices used to access sensitive systems or... | |
| E8-RA-ML1.6 | ISM-1400 requires enforced separation of classified data and personal data when privately-owned devices are used to access OFFICIAL: Sens... | |
| E8-RA-ML1.7 | ISM-1400 requires enforced separation of classified data and personal data when using privately-owned devices to access sensitive systems... | |
| E8-RA-ML2.3 | ISM-1400 requires enforced separation of classified data and personal data on privately-owned devices accessing OFFICIAL: Sensitive or PR... | |