ISM-1888 ASD Information Security Manual (ISM)

Ensure Mobile Devices Have Secure Lock Screens

Mobile devices must have secure password-protected screens to prevent unauthorized access.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGuidelines for communications systems access control devices March 2026 ISM Update

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Mar 2026

✏️ Control Stack last updated

19 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for communications systems

Section

Mobile Device Management

Topic

Maintaining Mobile Device Security

Official control statement

Mobile devices are configured with secure password-based lock screens.

Source: ASD Information Security Manual (ISM)

Plain language

Having a secure password on your phone's lock screen makes sure that if you lose it or it's stolen, strangers can't easily access your personal or work information. Without this, someone could quickly get into your emails, banking apps, and sensitive company data, leading to identity theft or financial loss.

Why it matters

Without secure lock screens, company data is at risk if devices are lost or stolen, potentially leading to data breaches or financial damages.

Operational notes

Regularly remind employees to update their device's software to fix security issues and review compliance with password policies periodically.

Implementation tips

IT team should configure mobile devices so that a secure lock screen is mandatory. They can do this by setting device policies through mobile device management software to ensure all organisational devices require a password, pin, or biometric lock before access.
Managers should educate staff about the importance of setting up a strong lock screen. Hold short training sessions showing employees how to set their lock screens using settings on their devices and encourage the use of unique passwords or reliable biometrics like finger scans.
Procurement should ensure that any new mobile devices bought for the organisation can accommodate robust lock screen features. When acquiring new phones, check that they support multiple lock options like face recognition or fingerprint scanning.
System owners should periodically review that device policies requiring lock screens are still in place and effective. Schedule a monthly check-in to verify policies are applied correctly and update them as necessary.
HR should incorporate mobile security practices including lock screen usage into employee onboarding and exit processes. Ensure that every new staff member is briefed on lock screen settings, and confirm deactivation of lock screen policies when devices are returned by departing employees.

Audit / evidence tips

Ask: the organisation's mobile device security policy: Request a copy from the IT department

Good: Policy clearly states that all devices must have a password, pin, or biometric lock screen configured
Ask: a device configuration report: Request a report showing current configuration settings from the mobile device management software

Good: Report shows all devices in compliance with secure lock screen configuration
Ask: training attendance records: Request documentation showing staff participation in mobile device security training

Good: Recent records show high attendance by staff, indicating awareness of lock screen importance
Ask: procurement checklists for new devices: Request documentation of purchasing criteria, specifically for mobile devices

Good: Checklist includes secure lock screen capabilities as a required feature for purchasing decisions
Ask: onboarding documentation: Request the onboarding checklist or process from HR

Good: Checklist includes steps for configuring a secure lock screen as part of onboarding

Cross-framework mappings

How ISM-1888 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Partially meets (2)
Annex A 8.1	ISM-1888 focuses on one specific endpoint protection measure: enforcing secure lock screens on mobile devices
Annex A 8.3	ISM-1888 requires mobile devices to be configured with secure password-based lock screens to prevent unauthorised access if a device is u...
Supports (2)
Annex A 7.7	Annex A 7.7 mandates clear screen policies to ensure unattended information processing facilities do not display sensitive information
Annex A 8.9	ISM-1888 requires a specific security configuration on mobile devices: secure lock screens