Skip to content
Control Stack logo Control Stack
ISM-1990 ASD Information Security Manual (ISM)

Enforcing Separation of Mobile Apps and Data

Ensure that work and personal apps and data are kept separate on mobile devices.

Proactive Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGuidelines for cryptographyenvironment separationdevicesMarch 2026 ISM Update

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Proactive

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Mar 2026

✏️ Control Stack last updated

19 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for cryptography

Section

Asd-approved Cryptographic Algorithms

Topic

Using Post-quantum Cryptographic Algorithms
Official control statement
When using ML-DSA and ML-KEM, as per FIPS 204 and FIPS 203 respectively, adherence to pre-requisite FIPS 140-3 validation is preferred.

Source: ASD Information Security Manual (ISM)

Plain language

This control ensures that work and personal apps and data stay separate on mobile devices to protect sensitive company information. Without this separation, there is a risk of accidentally sharing business data with personal apps, which could lead to data leaks or breaches.

Why it matters

If apps and data are not kept separate, leaked corporate data from employees' mobiles could lead to breaches affecting business confidentiality.

Operational notes

Regularly review and update mobile device policies to adapt to new threats and technologies, ensuring continuous data protection.

Implementation tips

  • IT team should stay informed about the latest FIPS publications. They can subscribe to updates from the National Institute of Standards and Technology (NIST) to ensure they apply the most current cryptographic methods.
  • System owners should inventory all systems using cryptographic methods. They should work with the IT team to classify each system and identify which ones need to adopt ML-DSA or ML-KEM based on FIPS 204 and FIPS 203.
  • Managers should schedule periodic training for relevant staff. Invite experts to explain how post-quantum cryptography works and why it's important. This helps ensure compliance and understanding across the organisation.
  • Procurement officers should check that any new systems or software support the recommended FIPS cryptographic methods. They can ask vendors for documentation demonstrating compliance with FIPS 203 and FIPS 204.
  • The security team should test cryptographic implementations regularly. They should run simulations to ensure the cryptographic update works as expected and does not disrupt other systems.

Audit / evidence tips

  • Ask: reports on cryptographic methods used: Request a document showing which cryptographic methods are currently deployed and how they align with FIPS 203 and FIPS 204

    Good: documentation showing updated cryptographic methods compliant with recommendations

  • Ask: to see the cryptographic system inventory: Check that the list includes systems with details on which cryptographic standards they use

    Good: An inventory showing all systems and confirmation that ML-DSA or ML-KEM is applied where required

  • Good: Records showing that relevant staff have attended training sessions on post-quantum cryptography and its importance

  • Ask: details on vendor compliance checks: Review procurement records to see if current and future vendors support the necessary FIPS standards

    Good: Procurement documentation showing that vendors comply with and support the implementation of FIPS cryptographic methods

  • Good: Testing logs that show successful implementation of cryptographic updates without impacting system operations

Cross-framework mappings

How ISM-1990 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (1)
Annex A 8.24 ISM-1990 requires that when implementing ML-DSA and ML-KEM, organisations should also follow the pre-requisite FIPS publications referenc...

E8

Control Notes Details
Supports (3)
E8-RA-ML1.5 ISM-1990 requires organisations to keep work and personal apps and data separated on mobile devices to reduce data leakage and cross-cont...
E8-RA-ML1.6 ISM-1990 addresses segregation of work and personal apps/data on mobile devices to prevent inappropriate access or data mixing
E8-RA-ML1.7 ISM-1990 requires separation between work and personal apps and data on mobile devices to limit data leakage pathways

Mapping detail

Mapping

Direction

Controls