ISM-1644 ASD Information Security Manual (ISM)

Secure Communication Practices in Public Areas

Avoid discussing sensitive topics on mobile phones in public to prevent eavesdropping.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET Physical security ASD Information Security Manual Guidelines for enterprise mobility Secure communicationsAwareness and training

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Feb 2025

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for enterprise mobility

Section

Mobile device usage

Topic

Using Mobile Devices in Public Spaces

Official control statement

Sensitive or classified phone calls and conversations are not conducted in public locations unless care is taken to reduce the chance of conversations being overheard.

Source: ASD Information Security Manual (ISM)

Plain language

This control is about making sure you don't discuss private or sensitive matters on your mobile phone when you're in public. Imagine you're at a café, talking about a business deal or a confidential client issue. If someone overhears, you could risk exposing important information, which could lead to financial loss or damage to your organisation's reputation.

Why it matters

Sensitive phone calls in public can be overheard, causing unauthorised disclosure of information and potential financial and reputational harm.

Operational notes

Avoid sensitive calls in public. If unavoidable, move to a private area, speak quietly, and use approved encrypted calling/messaging where available.

Implementation tips

Managers should educate employees about the risks of discussing sensitive topics in public. Conduct regular training sessions where you explain why it's important to avoid sensitive conversations in places like coffee shops or on public transport.
Team leaders should establish guidelines for what not to discuss in public places. Provide a checklist or quick-reference guide of topics that should always be covered in private, ensuring team members know what constitutes sensitive information.
IT personnel could implement technical solutions to help mitigate risks. For instance, suggest using secure messaging apps with strong encryption for sensitive communications, especially when employees are away from the office.
HR departments should incorporate this control into the organisation’s official policies. Include clear language in the employee handbook about maintaining confidentiality and the proper channels for handling sensitive discussions.
Business owners should lead by example to foster a culture of awareness around secure communication. Share personal anecdotes or examples of potential risks during team meetings to make the policy relatable and memorable.

Audit / evidence tips

Ask: the training records: Request documentation of any training sessions conducted regarding secure communication practices

Good: includes a regular schedule of sessions with comprehensive coverage of risks and guidelines
Ask: the communication policy document: Request to see the section in the employee handbook that covers secure communication in public areas

Good: cites specific examples and aligns with organisational risks
Ask: examples of communication technology in use: Request a list of secure apps or tools recommended by the IT team. Look to see if they are widely used and recognised for their security features

Good: describes tools with strong encryption and user-friendly interfaces available to employees
Ask: incident reports: Request documentation of any incidents where sensitive information was overheard or accidentally exposed

Good: shows few to no incidents, with robust action plans for any occurrences
Ask: evidence of leadership commitment: Request records of management's efforts to communicate the importance of this control with examples

Good: depicts senior leaders actively engaged in promoting secure communication

Cross-framework mappings

How ISM-1644 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Partially meets (2)
Annex A 5.10	ISM-1644 requires that sensitive or classified phone calls and conversations are not conducted in public locations unless precautions are...
Annex A 6.3	ISM-1644 addresses operational behaviour to prevent inadvertent disclosure during conversations in public areas