Ensure Separation of Classified and Personal Data on Devices
Organisation devices must keep classified and personal data separate to protect classified information.
Plain language
Keeping classified and personal data separate on work devices ensures that sensitive information stays protected. Without this separation, there's a risk that confidential data could be accidentally shared or lost, leading to security breaches or legal issues.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
OS, P, S, TS
ISM last updated
Mar 2026
Control Stack last updated
24 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsSection
Enterprise mobilityOfficial control statement
Personnel using organisation-owned mobile devices or desktop computers to access classified systems or data have enforced separation of classified data and personal data.
Why it matters
Without proper separation, classified data may end up in personal apps, risking leaks, breaches, and potential legal issues.
Operational notes
Regularly review and update account settings to ensure that data remains strictly separated as technologies and policies evolve.
Implementation tips
- The IT team should set up separate user profiles on organisation-owned devices. They can create one profile for work tasks and another for personal use by employees. This helps ensure that work data remains separate from personal data.
- Managers should inform all employees about the importance of separating work and personal data. They can do this by organising a short training session where they explain the potential risks of not following this policy.
- System administrators should configure devices to restrict access to work-related applications and data from personal user profiles. They can use software settings to ensure that only work profiles can open work apps and files.
- HR should include information about data separation practices in the employee onboarding process. New employees could receive a guide that outlines how to properly manage work and personal data on their company devices.
- Procurement staff should choose devices that support multiple user profiles. When purchasing new equipment, they should check that devices allow easy management of separate accounts for different uses.
Audit / evidence tips
-
Askthe device policy document: Request a copy of the policy that explains data separation requirements for organisation-owned devices
Goodis a clear section detailing the requirement for separate profiles or accounts
-
Askdevice configuration reports: Request a sample report from the IT team showing how devices are set up
Goodincludes settings that enforce these separations
-
Askemployees about their understanding: Interview a few employees to see if they understand how to keep their work and personal data separate
Goodis employees confidently describing how they use separate profiles
-
Asktraining materials: Request any documents or presentations used for teaching employees about data separation
Goodincludes comprehensive materials with examples
-
Askrecords of device checks: Request logs or records showing routine checks of devices for data separation compliance
Goodshows regular checks with documented outcomes proving compliance
Cross-framework mappings
How ISM-1482 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.1 | ISM-1482 requires enforced separation of classified data from personal data on organisation-owned mobile devices and desktop computers | |
| handshake Supports (1) expand_less | ||
| Annex A 8.12 | ISM-1482 requires enforced separation of classified data from personal data on organisation-owned devices | |
| extension Depends on (1) expand_less | ||
| Annex A 5.12 | ISM-1482 requires enforced separation of classified data from personal data on organisation-owned devices, which presumes the organisatio... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.