Ensure Secure Password Lock Screens on Mobile Devices
Make sure mobile devices have secure password lock screens to protect data.
Plain language
This control is about making sure that your mobile phone has a secure password before anyone can use it. It matters because if someone steals your phone, they could easily access your emails, photos, or even bank apps if it's not secured properly.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
20 Mar 2026
E8 maturity levels
N/A
Section
Server Application HardeningOfficial control statement
User accounts are not configured with password never expires or password not required.
Why it matters
Without secure lock screens, sensitive data on mobile devices can be easily compromised if devices are lost or stolen.
Operational notes
Regularly remind staff to update passwords and check that they meet the required complexity guidelines to ensure data security.
Implementation tips
- The IT team should ensure all user accounts require passwords to access them. This can be done by checking the system settings to make sure no accounts have 'password never expires' or 'password not required' options selected.
- The system administrator should set up a policy for passwords to expire after a certain period, like every 60 or 90 days. This involves configuring the settings in the user account management section of your server or Active Directory platform.
- Managers should educate staff on the importance of updating their passwords regularly. This can be done by organising short, clear training sessions or reminders about why expired passwords help maintain security.
- The IT team should regularly review account settings to ensure compliance with the password policy. They can do this by running reports from the user management system to identify any non-compliant accounts.
- System owners should collaborate with IT to enforce a minimum standard for password complexity. This will involve setting rules about password length and the inclusion of numbers and symbols to make them harder to guess.
Audit / evidence tips
- AskThe password policy document: Request the policy that outlines password expiration requirements GoodIncludes clear timelines such as 'every 60 days'
- AskA report of user account settings: Request a detailed report showing current user accounts and their password settings GoodShows no accounts with these settings
- AskLogs of recent password changes: Request a log that records when passwords were last changed for all accounts GoodWill show all users have set new passwords within policy times
- AskTo see training materials on password policies: Request any communication or training materials shared with staff about password updating procedures GoodIncludes regular reminders and clear explanations
- AskEvidence of compliance checks: Request records of any checks or audits done to ensure compliance with the password policy GoodIncludes a documented review process and corrective actions
Cross-framework mappings
How ISM-1837 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.17 | ISM-1837 requires user accounts to be configured so that passwords are required and do not use the 'password never expires' setting | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.