Enforce Data Separation on Personal Devices
Ensure work data and personal data are kept separate on employees' personal devices.
Plain language
Keeping work data separate from personal data on your employees' devices is crucial to prevent accidental sharing or loss of sensitive information. If work and personal data get mixed up, there could be major breaches of privacy or security leaks.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
OS, P
ISM last updated
June 2026
Control Stack last updated
18 June 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Enterprise MobilityOfficial control statement
Personnel using privately owned mobile devices or desktop computers to access OFFICIAL: Sensitive or PROTECTED systems or data have enforced separation of classified data and personal data.
Why it matters
Mixing of work and personal data can lead to security breaches or loss of sensitive business information, impacting integrity and reputation.
Operational notes
Ensure regular updates and audits of the MDM system to maintain effective separation of work and personal data on all employee devices.
Implementation tips
- IT team should implement a mobile device management (MDM) solution. This allows you to create separate environments for work and personal data on employees' devices, ensuring they don't mix.
- Managers should clearly communicate policies regarding data separation to staff. Use regular meetings or company emails to remind employees about the importance of not storing work data in personal storage apps.
- HR should integrate data separation guidelines into onboarding materials. Include simple instructions on how employees can set up their devices to keep work and personal data separate.
- Employees should be trained on recognising the difference between work and personal data. Conduct short workshops that demonstrate practical scenarios of data separation to avoid accidental data mixing.
- The IT team should regularly monitor and update the separation settings on employees' devices. Conduct monthly reviews to ensure the MDM system is effectively maintaining the separation of data.
Audit / evidence tips
- Askthe MDM configuration reports Look atthe setup of work and personal data partitions on devices Goodshows clear separation configurations for work and personal profiles
- Goodis a signed record with session dates and details
- Aska copy of the data separation policy Look atpolicy sections specifying what data belongs in personal or work domains Goodclearly defines and provides examples of data types
- Look atnotes on any instances of data overlap being detected and remediated Goodshows regular audits with remedial actions for any failures
- AskHR onboarding documentation related to device setups. Check for clear guidance on implementing data separation on personal devices Goodincludes step-by-step instructions for setup
Cross-framework mappings
How ISM-1400 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 7.9 | ISM-1400 requires enforced separation of OFFICIAL: Sensitive or PROTECTED work data from personal data on privately-owned devices used to... | |
| Annex A 8.1 | ISM-1400 requires organisations to enforce separation of classified work data from personal data on privately-owned endpoint devices used... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 6.7 | ISM-1400 requires enforced separation of classified data and personal data when personnel use privately-owned devices to access sensitive... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.10 | ISM-1400 requires enforced separation of OFFICIAL: Sensitive or PROTECTED work data from personal data on privately-owned devices | |
| Annex A 8.12 | ISM-1400 requires organisations to keep classified work data separate from personal data on privately-owned devices accessing sensitive s... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (4) expand_less | ||
| E8-RA-ML1.5 | ISM-1400 requires enforced separation of classified data and personal data for personnel using privately-owned devices to access sensitiv... | |
| E8-RA-ML1.6 | ISM-1400 requires enforced separation of classified/business data from personal data when privately-owned devices access OFFICIAL: Sensit... | |
| E8-RA-ML1.7 | ISM-1400 requires enforced separation of classified data and personal data when privately-owned endpoints are used to access OFFICIAL: Se... | |
| E8-RA-ML2.3 | ISM-1400 requires enforced separation of classified data and personal data on privately-owned devices accessing OFFICIAL: Sensitive or PR... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.