Guidelines for Using Mobile Devices Abroad
Use specific work devices and avoid personal phones when going to high-risk countries.
Plain language
When travelling to countries with high security risks, it's essential to use work-specific devices and accounts. This is because personal devices can be vulnerable to hacking or surveillance in these areas, which might expose sensitive work data.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device usageOfficial control statement
If travelling overseas with mobile devices to high or extreme risk countries, personnel are: - issued with newly provisioned user accounts, mobile devices and removable media from a pool of dedicated travel devices which are used solely for work-related activities - advised on how to apply and inspect tamper seals to key areas of mobile devices - advised to avoid taking any personal mobile devices, especially if rooted or jailbroken.
Why it matters
Without dedicated travel devices and accounts, overseas travel to high-risk countries can expose sensitive data to surveillance or theft.
Operational notes
Issue dedicated travel devices/accounts for high-risk trips, apply tamper seals, inspect on return, then wipe and decommission devices/media.
Implementation tips
- IT team should provision dedicated travel devices: They should prepare smartphones or tablets specifically for work trips, ensuring they only contain necessary applications and data. This can be done by maintaining a pool of clean devices that are reset and reconfigured before each trip.
- Security manager should educate travellers on device usage: Organise a briefing session where employees learn about using tamper seals on their travel devices. Explain how to apply these seals over sensitive areas like USB ports and camera lenses to detect unauthorized access.
- HR should coordinate the distribution of these devices: Ensure that employees going on international trips are given these specific devices rather than using personal ones. Create a checklist for signing devices in and out to maintain control and responsibility.
- IT team should disable unnecessary features on travel devices: Before provisioning, IT should remove or disable non-essential applications or features that might present security vulnerabilities. This might include disabling automatic connections to Wi-Fi or Bluetooth to avoid unintentional data sharing.
- Employees are advised not to take personal mobile devices: Communicate the risks of using personal devices, particularly those that are rooted or have altered security settings, as these are more susceptible to attacks. Provide simple instructions on how to check if a device is rooted or jailbroken.
Audit / evidence tips
-
Aska list of travel devices: Request documentation showing the inventory of devices dedicated for travel use
Goodis a current list showing assigned employees, device statuses, and setup dates
-
Askthe tamper seal education material: Request copies of presentation slides or handouts used to educate employees on using tamper seals
Goodsign is clear, concise steps explaining tamper seal application and check procedures
-
Asktravel device distribution logs: Check the records of who has been issued specific devices for travel
Goodshows devices are tracked in a log file with check-out and check-in dates, and employees' signatures
-
Aska protocol on feature disabling: Request documentation on the procedures for disabling unnecessary features on travel devices
Goodis a detailed guide listing precise features disabled for safety during travel
-
Askemployee advisories: Request email communications or memos advising employees against bringing personal devices, especially rooted ones
Goodincludes warnings about risks and facts on rooting vulnerabilities
Cross-framework mappings
How ISM-1554 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 6.7 | ISM-1554 requires specific precautions for personnel travelling overseas with mobile devices to high or extreme risk countries, including... | |
| Annex A 7.9 | ISM-1554 addresses protecting mobile devices used off-site during overseas travel to high or extreme risk countries by mandating dedicate... | |
| Annex A 8.1 | ISM-1554 requires heightened protection for user endpoint devices during overseas travel to high or extreme risk countries by using newly... | |
| handshake Supports (1) expand_less | ||
| Annex A 6.3 | ISM-1554 requires personnel travelling to high or extreme risk countries to follow specific behaviours (use dedicated work devices/accoun... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.