Secure Communication Practices in Public Areas
Avoid discussing sensitive topics on mobile phones in public to prevent eavesdropping.
Plain language
This control is about making sure you don't discuss private or sensitive matters on your mobile phone when you're in public. Imagine you're at a café, talking about a business deal or a confidential client issue. If someone overhears, you could risk exposing important information, which could lead to financial loss or damage to your organisation's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device usageOfficial control statement
Sensitive or classified phone calls and conversations are not conducted in public locations unless care is taken to reduce the chance of conversations being overheard.
Why it matters
Sensitive phone calls in public can be overheard, causing unauthorised disclosure of information and potential financial and reputational harm.
Operational notes
Avoid sensitive calls in public. If unavoidable, move to a private area, speak quietly, and use approved encrypted calling/messaging where available.
Implementation tips
- Managers should educate employees about the risks of discussing sensitive topics in public. Conduct regular training sessions where you explain why it's important to avoid sensitive conversations in places like coffee shops or on public transport.
- Team leaders should establish guidelines for what not to discuss in public places. Provide a checklist or quick-reference guide of topics that should always be covered in private, ensuring team members know what constitutes sensitive information.
- IT personnel could implement technical solutions to help mitigate risks. For instance, suggest using secure messaging apps with strong encryption for sensitive communications, especially when employees are away from the office.
- HR departments should incorporate this control into the organisation’s official policies. Include clear language in the employee handbook about maintaining confidentiality and the proper channels for handling sensitive discussions.
- Business owners should lead by example to foster a culture of awareness around secure communication. Share personal anecdotes or examples of potential risks during team meetings to make the policy relatable and memorable.
Audit / evidence tips
-
Askthe training records: Request documentation of any training sessions conducted regarding secure communication practices
Goodincludes a regular schedule of sessions with comprehensive coverage of risks and guidelines
-
Askthe communication policy document: Request to see the section in the employee handbook that covers secure communication in public areas
Goodcites specific examples and aligns with organisational risks
-
Askexamples of communication technology in use: Request a list of secure apps or tools recommended by the IT team. Look to see if they are widely used and recognised for their security features
Gooddescribes tools with strong encryption and user-friendly interfaces available to employees
-
Askincident reports: Request documentation of any incidents where sensitive information was overheard or accidentally exposed
Goodshows few to no incidents, with robust action plans for any occurrences
-
Askevidence of leadership commitment: Request records of management's efforts to communicate the importance of this control with examples
Gooddepicts senior leaders actively engaged in promoting secure communication
Cross-framework mappings
How ISM-1644 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.10 | ISM-1644 requires that sensitive or classified phone calls and conversations are not conducted in public locations unless precautions are... | |
| Annex A 6.3 | ISM-1644 addresses operational behaviour to prevent inadvertent disclosure during conversations in public areas | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.