Implement Remote Locate and Wipe for Mobile Security
Mobile devices should be set up to be located and wiped remotely to ensure security.
Plain language
This control ensures that mobile devices are set up so they can be located or wiped clean remotely if they are lost or stolen. This is crucial because if a device with sensitive information falls into the wrong hands, it could lead to data breaches, loss of privacy, or financial harm. By enabling remote wipe and location tracking, you can protect against these risks by locking down devices immediately.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device managementOfficial control statement
Mobile devices are configured with remote locate and wipe functionality.
Why it matters
If remote locate/wipe is not enabled, a lost or stolen mobile can leak sensitive data and increase breach and compliance risk.
Operational notes
Periodically validate remote locate and wipe works (including offline/MDM-triggered wipe) and confirm location services are enabled per device policy.
Implementation tips
- IT team should configure devices: Ensure every mobile device used for work is registered with the company’s mobile device management system. This involves enrolling the device in software that allows you to track it and erase its data if necessary.
- Office manager to maintain an inventory: Keep an updated list of all mobile devices in use, including who uses them and their current status. Regularly review and verify that each device is properly registered for remote tracking and wiping.
- Procurement staff should choose compatible devices: Ensure any new mobile phones or tablets purchased can support remote locate and wipe features. This means checking with suppliers or the manufacturer for these capabilities before buying.
- System owner to review settings: Periodically check that remote locate and wipe functions are correctly set up on each device. This involves testing the functionalities to confirm they work as expected and making updates if needed.
- HR to educate employees: Conduct training sessions for staff on the importance of mobile security and what to do if their device is lost or stolen. Provide them with simple guides on initiating a remote wipe via the company's software.
Audit / evidence tips
-
Askthe mobile device inventory list: Verify that there is a document listing all mobile devices in use and check that each is linked to the management system
Goodis a comprehensive, updated list showing successful registration of devices
-
Gooddemonstration shows the device being wiped and then restored to a clean state
-
Askrecords of recent device wipe incidents: Review reports showing when devices were remotely wiped and why
Goodreport includes incident details, times, and confirmation emails of wipe actions
-
Goodpolicy outlines steps taken in case of loss or theft
-
Askthe employee training records: Verify that staff have been trained on mobile security, focusing on device loss protocols
Goodrecord shows regular sessions with comprehensive content on remote wipe procedures
Cross-framework mappings
How ISM-1887 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 6.7 | ISM-1887 requires mobile devices to be configured with remote locate and remote wipe functionality to reduce risk from loss or theft | |
| Annex A 8.9 | ISM-1887 requires a particular security configuration on mobile devices: remote locate and wipe must be enabled and usable | |
| link Related (1) expand_less | ||
| Annex A 8.1 | Annex A 8.1 requires protecting information stored on and accessible via endpoint devices, particularly against loss or theft | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.