Ensure Mobile Devices Have Secure Lock Screens
Mobile devices must have secure password-protected screens to prevent unauthorized access.
Plain language
Having a secure password on your phone's lock screen makes sure that if you lose it or it's stolen, strangers can't easily access your personal or work information. Without this, someone could quickly get into your emails, banking apps, and sensitive company data, leading to identity theft or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Mar 2026
Control Stack last updated
24 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsSection
Mobile device managementOfficial control statement
Mobile devices are configured with secure password-based lock screens.
Why it matters
Without secure lock screens, company data is at risk if devices are lost or stolen, potentially leading to data breaches or financial damages.
Operational notes
Regularly remind employees to update their device's software to fix security issues and review compliance with password policies periodically.
Implementation tips
- IT team should configure mobile devices so that a secure lock screen is mandatory. They can do this by setting device policies through mobile device management software to ensure all organisational devices require a password, pin, or biometric lock before access.
- Managers should educate staff about the importance of setting up a strong lock screen. Hold short training sessions showing employees how to set their lock screens using settings on their devices and encourage the use of unique passwords or reliable biometrics like finger scans.
- Procurement should ensure that any new mobile devices bought for the organisation can accommodate robust lock screen features. When acquiring new phones, check that they support multiple lock options like face recognition or fingerprint scanning.
- System owners should periodically review that device policies requiring lock screens are still in place and effective. Schedule a monthly check-in to verify policies are applied correctly and update them as necessary.
- HR should incorporate mobile security practices including lock screen usage into employee onboarding and exit processes. Ensure that every new staff member is briefed on lock screen settings, and confirm deactivation of lock screen policies when devices are returned by departing employees.
Audit / evidence tips
-
Askthe organisation's mobile device security policy: Request a copy from the IT department
GoodPolicy clearly states that all devices must have a password, pin, or biometric lock screen configured
-
Aska device configuration report: Request a report showing current configuration settings from the mobile device management software
GoodReport shows all devices in compliance with secure lock screen configuration
-
Asktraining attendance records: Request documentation showing staff participation in mobile device security training
GoodRecent records show high attendance by staff, indicating awareness of lock screen importance
-
Askprocurement checklists for new devices: Request documentation of purchasing criteria, specifically for mobile devices
GoodChecklist includes secure lock screen capabilities as a required feature for purchasing decisions
-
Askonboarding documentation: Request the onboarding checklist or process from HR
GoodChecklist includes steps for configuring a secure lock screen as part of onboarding
Cross-framework mappings
How ISM-1888 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.1 | ISM-1888 focuses on one specific endpoint protection measure: enforcing secure lock screens on mobile devices | |
| Annex A 8.3 | ISM-1888 requires mobile devices to be configured with secure password-based lock screens to prevent unauthorised access if a device is u... | |
| handshake Supports (2) expand_less | ||
| Annex A 7.7 | Annex A 7.7 mandates clear screen policies to ensure unattended information processing facilities do not display sensitive information | |
| Annex A 8.9 | ISM-1888 requires a specific security configuration on mobile devices: secure lock screens | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.