Use Approved Mobile Platforms for Sensitive Access
Mobile devices must use evaluated platforms for secure access to sensitive systems or data.
Plain language
This control ensures that mobile devices accessing sensitive or protected systems use platforms that meet specific security standards and are configured securely. This is crucial because if these devices aren't secure, confidential information could be exposed, leading to financial loss, reputation damage, or compromised operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
OS, P
ISM last updated
Feb 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device managementOfficial control statement
Mobile devices that access OFFICIAL: Sensitive or PROTECTED systems or data use mobile platforms that have completed a Common Criteria evaluation against the Protection Profile for Mobile Device Fundamentals, version 3.3 or later, and are operated in accordance with the latest version of their associated ASD security configuration guide.
Why it matters
Using mobile platforms not Common Criteria-evaluated or not configured to ASD guidance increases risk of OFFICIAL: Sensitive/PROTECTED data compromise and unauthorised access.
Operational notes
Regularly verify devices remain Common Criteria-evaluated (PP MDF v3.3+) and are still aligned to the latest ASD security configuration guide after OS/app updates.
Implementation tips
- IT team should verify the mobile platforms: Ensure that the mobile devices used in the organisation have been evaluated for security by checking against the Common Criteria certification. They can find this information on the Australian Cyber Security Centre's (ACSC) website.
- Procurement team should choose compliant devices: When purchasing new mobile devices, check that they meet the required security standards by looking at the manufacturer's documentation and ensuring it mentions a valid Common Criteria certification.
- IT team should apply security guides: Manage the configuration of mobile devices to align with the latest ASD (Australian Signals Directorate) security configuration guide. This involves adjusting settings to recommended levels to prevent unauthorised access.
- Managers should establish usage policies: Create clear policies about which mobile devices can be used to access sensitive data, ensuring employees only use approved devices. Communicate this through regular staff meetings and enforce with monitoring.
- Security team should routinely update device configurations: Periodically review and update the mobile devices' configurations and ensure they adhere to the latest security guides. This might involve checking settings, installing updates, or tweaking configurations as recommended.
Audit / evidence tips
- AskA list of all mobile devices used in the organisation: Request an inventory document that includes details about each device's model and certification status GoodShows up-to-date information on every device's certification
- AskTo see the procurement policy: Request the document that outlines how new mobile devices are selected and purchased GoodIs a policy document that clearly states the security requirements for purchasing mobile devices
- AskConfiguration guides: Request the ASD security configuration guides applied to organisation devices GoodIncludes the most recent guides with dates showing they have been applied recently
- AskUser policy documentation: Request the documented policies that detail how employees can use mobile devices for sensitive access GoodIs a comprehensive policy handbook available to all employees
- AskA recent configuration report: Request a report that shows the current security settings of mobile devices in use within the organisation GoodIncludes reports that show full compliance with these standards
Cross-framework mappings
How ISM-1867 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 8.1 | Annex A 8.1 requires organisations to protect information stored on, processed by, or accessible via endpoint devices | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.