Establish Mobile Device Management Policies
Create and maintain policies to manage and control mobile devices within the organisation.
Plain language
Creating and maintaining a policy to manage mobile devices is like setting ground rules for how these devices are used in your organisation. This matters because without clear rules, mobile devices could become easy targets for cyber attacks or data leaks, leading to loss of sensitive information and potentially harming your business reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device managementOfficial control statement
A mobile device management policy is developed, implemented and maintained.
Why it matters
Without an enforced MDM policy, lost or unmanaged mobiles may expose sensitive data and allow unauthorised access to corporate systems.
Operational notes
Review the MDM policy regularly to cover enrolment, PIN/biometrics, encryption, patching, app controls and remote wipe for lost or stolen devices.
Implementation tips
- Business owner should task an IT consultant to draft a mobile device management policy. This document should outline what types of mobile devices can be used, how they can access company data, and the security measures that must be in place. Once drafted, review the policy with key staff to ensure it is clear and practical.
- IT manager should work with the HR team to ensure the mobile device policy is included in employee induction training. This involves explaining the rules clearly and providing examples of acceptable and unacceptable use. Ensure all employees sign that they understand and will comply with the policy.
- Security officer should regularly review and update the mobile device management policy. This can be done by scheduling bi-annual reviews to incorporate new risks and technology changes, ensuring that the policy remains effective and relevant.
- Office manager should implement a system to track all mobile devices accessing organisational data. This can be accomplished by maintaining a simple inventory list using a spreadsheet, recording device type, user details, and date of last security review.
- IT team should set up technical measures to enforce the policy. This includes configuring devices to enforce password protection, remote wipe abilities, and regular updates. Utilise mobile device management software to automate these settings where possible.
Audit / evidence tips
- AskA copy of the current mobile device management policy document GoodWill be a comprehensive, up-to-date document with clear sections and sign-off from leadership
- GoodIs evidence of regular training sessions where all new and existing employees have attended and understood the policy
- GoodIs a current and detailed inventory, with checks showing recent reviews of device status and compliance
- AskReports showing how technical control measures are enforced GoodIncludes dated logs or screenshots showing settings applied across devices
- GoodProvides a documented review process with clear reasons for updates reflecting changing risks or organisational needs
Cross-framework mappings
How ISM-1533 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.1 | ISM-1533 requires the organisation to develop, implement and maintain a mobile device management (MDM) policy | |
| handshake Supports (2) expand_less | ||
| Annex A 5.4 | ISM-1533 requires the organisation to develop, implement and maintain an MDM policy for mobile devices | |
| Annex A 5.36 | ISM-1533 requires the organisation to develop, implement and maintain an MDM policy | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.