Prevent Storage of Classified Data on Private Devices
Prevent employees from storing classified data on their personal devices when accessing sensitive systems.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
OS, P
🗓️ ISM last updated
Mar 2026
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Personnel using privately-owned mobile devices or desktop computers to access OFFICIAL: Sensitive or PROTECTED systems or data are prevented from storing classified data on their privately-owned mobile devices and desktop computers.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure employees don't save classified information on their personal devices. If they do, there's a risk that sensitive data could be exposed or lost if their device is lost, stolen, or hacked.
Why it matters
If personal devices store classified data, it risks exposure through theft, loss, or a cyberattack, potentially leading to significant data breaches.
Operational notes
Regularly update and enforce policies to prevent employees from even unintentionally storing sensitive data on their personal devices. Stay vigilant in monitoring.
Implementation tips
- System owners should classify which information is considered sensitive or protected. Identify and catalogue all data that should not be stored on personal devices, working with your IT team to define these categories clearly.
- The IT team should configure systems to ensure data cannot be downloaded onto personal devices. This can be done by setting up network restrictions and permissions that block file downloads or copies onto unauthorised devices.
- Managers should communicate this policy to all staff. They can do this by holding regular training sessions to explain why this rule exists and making sure employees understand the consequences of breaching this control.
- Procurement officers should ensure that company devices meet security standards. They should collaborate with IT to buy devices that have secure storage options and adhere to Australian Cyber Security Centre (ACSC) guidelines.
- The HR team should update employee contracts and policies. Write clear sections within employee handbooks and agreements explaining the restrictions on data storage, and ensure each employee signs these updated agreements.
Audit / evidence tips
-
Ask: the list of classified information types: Request documentation from the IT team that defines what data is considered sensitive or protected
-
Ask: policy distribution records: Request evidence that the policy prohibiting storage on personal devices has been shared with staff
-
Ask: to see device configuration settings: Request a demonstration from the IT team on how devices are set up to prevent data downloads
Good: demonstration will show active blocks on downloading or copying sensitive files
-
Ask: procurement checklists: Request documents used by procurement to ensure new company devices meet security standards
-
Ask: updated employee contracts: Request to view the contracts or employee handbook sections where this rule is explained
Good: contract clearly states these expectations and potential consequences for breaches
Cross-framework mappings
How ISM-1866 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.1 | ISM-1866 requires personnel on privately-owned mobile devices or desktop computers to be prevented from storing classified data locally | |
| Partially overlaps (1) | ||
| Annex A 6.7 | ISM-1866 requires organisations to prevent personnel using privately-owned devices from storing classified data from OFFICIAL: Sensitive ... | |
| Related (1) | ||
| Annex A 8.12 | Annex A 8.12 requires data leakage prevention measures to be applied to devices and systems handling sensitive information | |