Prevent Storage of Classified Data on Private Devices
Prevent employees from storing classified data on their personal devices when accessing sensitive systems.
Plain language
This control is about making sure employees don't save classified information on their personal devices. If they do, there's a risk that sensitive data could be exposed or lost if their device is lost, stolen, or hacked.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
OS, P
ISM last updated
Mar 2026
Control Stack last updated
24 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsSection
Enterprise mobilityOfficial control statement
Personnel using privately-owned mobile devices or desktop computers to access OFFICIAL: Sensitive or PROTECTED systems or data are prevented from storing classified data on their privately-owned mobile devices and desktop computers.
Why it matters
If personal devices store classified data, it risks exposure through theft, loss, or a cyberattack, potentially leading to significant data breaches.
Operational notes
Regularly update and enforce policies to prevent employees from even unintentionally storing sensitive data on their personal devices. Stay vigilant in monitoring.
Implementation tips
- System owners should classify which information is considered sensitive or protected. Identify and catalogue all data that should not be stored on personal devices, working with your IT team to define these categories clearly.
- The IT team should configure systems to ensure data cannot be downloaded onto personal devices. This can be done by setting up network restrictions and permissions that block file downloads or copies onto unauthorised devices.
- Managers should communicate this policy to all staff. They can do this by holding regular training sessions to explain why this rule exists and making sure employees understand the consequences of breaching this control.
- Procurement officers should ensure that company devices meet security standards. They should collaborate with IT to buy devices that have secure storage options and adhere to Australian Cyber Security Centre (ACSC) guidelines.
- The HR team should update employee contracts and policies. Write clear sections within employee handbooks and agreements explaining the restrictions on data storage, and ensure each employee signs these updated agreements.
Audit / evidence tips
- AskThe list of classified information types: Request documentation from the IT team that defines what data is considered sensitive or protected
- AskPolicy distribution records: Request evidence that the policy prohibiting storage on personal devices has been shared with staff
- AskTo see device configuration settings: Request a demonstration from the IT team on how devices are set up to prevent data downloads GoodDemonstration will show active blocks on downloading or copying sensitive files
- AskProcurement checklists: Request documents used by procurement to ensure new company devices meet security standards
- AskUpdated employee contracts: Request to view the contracts or employee handbook sections where this rule is explained GoodContract clearly states these expectations and potential consequences for breaches
Cross-framework mappings
How ISM-1866 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.1 | ISM-1866 requires personnel on privately-owned mobile devices or desktop computers to be prevented from storing classified data locally | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 6.7 | ISM-1866 requires organisations to prevent personnel using privately-owned devices from storing classified data from OFFICIAL: Sensitive ... | |
| link Related (1) expand_less | ||
| Annex A 8.12 | Annex A 8.12 requires data leakage prevention measures to be applied to devices and systems handling sensitive information | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.