Guidelines for Using Mobile Devices Abroad
Use specific work devices and avoid personal phones when going to high-risk countries.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2024
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device usageIf travelling overseas with mobile devices to high or extreme risk countries, personnel are: - issued with newly provisioned user accounts, mobile devices and removable media from a pool of dedicated travel devices which are used solely for work-related activities - advised on how to apply and inspect tamper seals to key areas of mobile devices - advised to avoid taking any personal mobile devices, especially if rooted or jailbroken.
Source: ASD Information Security Manual (ISM)
Plain language
When travelling to countries with high security risks, it's essential to use work-specific devices and accounts. This is because personal devices can be vulnerable to hacking or surveillance in these areas, which might expose sensitive work data.
Why it matters
Without dedicated travel devices and accounts, overseas travel to high-risk countries can expose sensitive data to surveillance or theft.
Operational notes
Issue dedicated travel devices/accounts for high-risk trips, apply tamper seals, inspect on return, then wipe and decommission devices/media.
Implementation tips
- IT team should provision dedicated travel devices: They should prepare smartphones or tablets specifically for work trips, ensuring they only contain necessary applications and data. This can be done by maintaining a pool of clean devices that are reset and reconfigured before each trip.
- Security manager should educate travellers on device usage: Organise a briefing session where employees learn about using tamper seals on their travel devices. Explain how to apply these seals over sensitive areas like USB ports and camera lenses to detect unauthorized access.
- HR should coordinate the distribution of these devices: Ensure that employees going on international trips are given these specific devices rather than using personal ones. Create a checklist for signing devices in and out to maintain control and responsibility.
- IT team should disable unnecessary features on travel devices: Before provisioning, IT should remove or disable non-essential applications or features that might present security vulnerabilities. This might include disabling automatic connections to Wi-Fi or Bluetooth to avoid unintentional data sharing.
- Employees are advised not to take personal mobile devices: Communicate the risks of using personal devices, particularly those that are rooted or have altered security settings, as these are more susceptible to attacks. Provide simple instructions on how to check if a device is rooted or jailbroken.
Audit / evidence tips
-
Ask: a list of travel devices: Request documentation showing the inventory of devices dedicated for travel use
Good: is a current list showing assigned employees, device statuses, and setup dates
-
Ask: the tamper seal education material: Request copies of presentation slides or handouts used to educate employees on using tamper seals
Good: sign is clear, concise steps explaining tamper seal application and check procedures
-
Ask: travel device distribution logs: Check the records of who has been issued specific devices for travel
Good: shows devices are tracked in a log file with check-out and check-in dates, and employees' signatures
-
Ask: a protocol on feature disabling: Request documentation on the procedures for disabling unnecessary features on travel devices
Good: is a detailed guide listing precise features disabled for safety during travel
-
Ask: employee advisories: Request email communications or memos advising employees against bringing personal devices, especially rooted ones
Good: includes warnings about risks and facts on rooting vulnerabilities
Cross-framework mappings
How ISM-1554 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (3) | ||
| Annex A 6.7 | ISM-1554 requires specific precautions for personnel travelling overseas with mobile devices to high or extreme risk countries, including... | |
| Annex A 7.9 | ISM-1554 addresses protecting mobile devices used off-site during overseas travel to high or extreme risk countries by mandating dedicate... | |
| Annex A 8.1 | ISM-1554 requires heightened protection for user endpoint devices during overseas travel to high or extreme risk countries by using newly... | |
| Supports (1) | ||
| Annex A 6.3 | ISM-1554 requires personnel travelling to high or extreme risk countries to follow specific behaviours (use dedicated work devices/accoun... | |