Prevent Storing Classified Data on Privately Owned Devices
Staff using their own phones, tablets or computers for work must be stopped from saving OFFICIAL: Sensitive or PROTECTED data onto those personal devices.
Plain language
When staff use their own personal phones, tablets or computers (often called BYO, or "bring your own" devices) to access work systems that hold sensitive or classified information, this control makes sure that classified data is never actually saved onto those personal devices. The information can be viewed or worked on, but it must not be stored locally on equipment the organisation does not own and control. This matters because personal devices are easily lost, sold, shared with family, or stolen, and once classified data is sitting on them you have no way to wipe it, track it, or guarantee it is protected.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
OS, P
ISM last updated
June 2026
Control Stack last updated
18 June 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Enterprise MobilityOfficial control statement
Personnel using privately owned mobile devices or desktop computers to access OFFICIAL: Sensitive or PROTECTED systems or data are prevented from storing classified data on their privately owned mobile devices and desktop computers.
Why it matters
If staff save classified data onto their own phones or computers, a lost or stolen personal device can hand sensitive or PROTECTED information straight to an outsider with no way to wipe it.
Operational notes
Re-check device controls whenever staff change personal phones or operating systems update, and remove access promptly when someone leaves or reports a lost device.
Implementation tips
- The IT team should configure access to OFFICIAL: Sensitive and PROTECTED systems so that data is only viewed through a controlled session (for example a remote desktop, virtual desktop, or secure web app) where files cannot be downloaded or saved onto the personal device.
- The system owner should decide which personal devices, if any, are permitted to connect at all, and write this into a clear bring-your-own-device policy that staff must read and sign before they are given access.
- The IT team should deploy a mobile device management or containerisation tool that keeps work data inside a protected, encrypted work area on the personal device and blocks copying, downloading or saving that data to the device's own storage, camera roll or personal apps.
- The office manager or HR should make sure every staff member using their own device signs an acknowledgement that they understand they must not save classified files, screenshots, attachments or copies onto their personal phone, tablet or computer.
- The IT team should disable risky features for these connections, such as local file download, clipboard copy-out, screenshots and saving email attachments, so the rule is enforced by the system rather than relying on people remembering it.
Audit / evidence tips
- Askto see the bring-your-own-device (BYO) policy and a list of staff who use personal devices for work Look atwhether it explicitly bans storing OFFICIAL: Sensitive or PROTECTED data on personal equipment Goodshows a current, signed policy that names the specific classifications covered
- Askhow a staff member on a personal phone actually opens a sensitive document Look ata live demonstration of the access method Goodshows the file opening inside a controlled or virtual session with no option to download or save it to the device
- Askthe technical configuration that blocks saving data locally (mobile device management settings, container rules, or remote-session policies) Look atthe actual settings, not just a description Goodshows download, copy, and screenshot functions disabled for these connections
- Askwhether any classified data has ever been found stored on a personal device, and how they would detect it Look atmonitoring or compliance reports Goodshows regular checks and a clear process for responding when a breach is found
- Askwhat happens when an employee with a personal device leaves or loses the device Look atthe offboarding and lost-device procedure Goodshows the organisation can revoke access and confirm no classified data was left sitting on the personal device
Cross-framework mappings
How ISM-1866 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 6.7 | ISM-1866 requires preventing classified data from being stored on privately-owned mobile devices and desktop computers when accessing sen... | |
| Annex A 7.10 | ISM-1866 requires that personnel using privately-owned devices to access OFFICIAL: Sensitive or PROTECTED systems/data are prevented from... | |
| Annex A 8.1 | ISM-1866 requires personnel on privately-owned mobile devices or desktop computers to be prevented from storing classified data locally | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.14 | ISM-1866 requires controls that prevent classified data being stored on privately-owned devices when users access sensitive systems/data | |
| Annex A 8.3 | ISM-1866 mandates preventing the storage of OFFICIAL: Sensitive or PROTECTED data on privately owned mobile devices and desktop computers | |
| handshake Supports (2) expand_less | ||
| Annex A 5.15 | ISM-1866 requires that personnel using privately owned devices to access OFFICIAL: Sensitive or PROTECTED systems/data are prevented from... | |
| Annex A 5.33 | ISM-1866 requires organisations to prevent personnel from saving OFFICIAL: Sensitive or PROTECTED data onto privately owned devices | |
| link Related (1) expand_less | ||
| Annex A 8.12 | Annex A 8.12 requires data leakage prevention measures to be applied to devices and systems handling sensitive information | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.