Enforcing Separation of Mobile Apps and Data
Ensure that work and personal apps and data are kept separate on mobile devices.
Plain language
This control ensures that work and personal apps and data stay separate on mobile devices to protect sensitive company information. Without this separation, there is a risk of accidentally sharing business data with personal apps, which could lead to data leaks or breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Mar 2026
Control Stack last updated
24 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
When using ML-DSA and ML-KEM, as per FIPS 204 and FIPS 203 respectively, adherence to pre-requisite FIPS 140-3 validation is preferred.
Why it matters
If apps and data are not kept separate, leaked corporate data from employees' mobiles could lead to breaches affecting business confidentiality.
Operational notes
Regularly review and update mobile device policies to adapt to new threats and technologies, ensuring continuous data protection.
Implementation tips
- IT team should stay informed about the latest FIPS publications. They can subscribe to updates from the National Institute of Standards and Technology (NIST) to ensure they apply the most current cryptographic methods.
- System owners should inventory all systems using cryptographic methods. They should work with the IT team to classify each system and identify which ones need to adopt ML-DSA or ML-KEM based on FIPS 204 and FIPS 203.
- Managers should schedule periodic training for relevant staff. Invite experts to explain how post-quantum cryptography works and why it's important. This helps ensure compliance and understanding across the organisation.
- Procurement officers should check that any new systems or software support the recommended FIPS cryptographic methods. They can ask vendors for documentation demonstrating compliance with FIPS 203 and FIPS 204.
- The security team should test cryptographic implementations regularly. They should run simulations to ensure the cryptographic update works as expected and does not disrupt other systems.
Audit / evidence tips
-
Askreports on cryptographic methods used: Request a document showing which cryptographic methods are currently deployed and how they align with FIPS 203 and FIPS 204
Gooddocumentation showing updated cryptographic methods compliant with recommendations
-
Askto see the cryptographic system inventory: Check that the list includes systems with details on which cryptographic standards they use
GoodAn inventory showing all systems and confirmation that ML-DSA or ML-KEM is applied where required
-
GoodRecords showing that relevant staff have attended training sessions on post-quantum cryptography and its importance
-
Askdetails on vendor compliance checks: Review procurement records to see if current and future vendors support the necessary FIPS standards
GoodProcurement documentation showing that vendors comply with and support the implementation of FIPS cryptographic methods
-
GoodTesting logs that show successful implementation of cryptographic updates without impacting system operations
Cross-framework mappings
How ISM-1990 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1990 requires that when implementing ML-DSA and ML-KEM, organisations should also follow the pre-requisite FIPS publications referenc... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| E8-RA-ML1.5 | ISM-1990 requires organisations to keep work and personal apps and data separated on mobile devices to reduce data leakage and cross-cont... | |
| E8-RA-ML1.6 | ISM-1990 addresses segregation of work and personal apps/data on mobile devices to prevent inappropriate access or data mixing | |
| E8-RA-ML1.7 | ISM-1990 requires separation between work and personal apps and data on mobile devices to limit data leakage pathways | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.