Skip to content
Control Stack logo Control Stack
ISM-2096 ASD Information Security Manual (ISM)

Separate Organisational and Personal Mobile Data

Ensure mobile devices keep work and personal apps and data separate.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGuidelines for enterprise mobilityoff premisesMarch 2026 ISM Update

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Mar 2026

✏️ Control Stack last updated

23 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for enterprise mobility

Section

Mobile Device Security

Topic

Maintaining Mobile Device Security
Official control statement
Mobile devices are configured to enforce separation between organisational and personal mobile applications and data.

Source: ASD Information Security Manual (ISM)

Plain language

This control ensures that work and personal apps and data on mobile devices are kept separate. If you don't do this, sensitive company data can accidentally leak or be accessed by unauthorised users through personal apps.

Why it matters

Mixing work and personal data on mobile devices can lead to data breaches, regulatory violations, and damage to company reputation.

Operational notes

Regularly remind staff to check they are using work apps only within work profiles to maintain security. Frequent verification of MDM settings helps ensure compliance.

Implementation tips

  • Managers should require staff to install a work profile on their mobiles. This is independent from their personal profile, ensuring company apps and data stay separate and secure.
  • IT teams should configure mobile device management (MDM) systems to enforce data separation. This involves setting rules that keep work emails, files, and apps apart from personal ones.
  • System administrators should provide guidelines and support to staff. They can explain how to install and use company-approved apps in the work profile to prevent data sharing with personal apps.
  • HR should inform employees during onboarding about the importance of separating work and personal data on mobiles. They can provide easy-to-follow steps and visual guides.
  • Compliance officers should regularly review device settings to ensure separation rules are applied. They might check settings during routine tech check-ins with staff.

Audit / evidence tips

  • Ask: the mobile management policy documentation. Look to see if it specifies how work and personal data should be kept separate

    Good: shows clear processes for ensuring data is not shared between profiles

  • Look at: how many devices have work profiles set up compared to total devices

    Good: is a high percentage indicating effective deployment

  • Ask: a demonstration on how data separation is enforced on a sample mobile device. Look to see that work and personal apps cannot access each other's data

    Good: shows total app and data isolation

  • Look at: attendee lists and training materials

    Good: includes regular training sessions with signed attendance

  • Ask: compliance or audit records checking the effectiveness of data separation

    Look at: any findings and remediation actions taken

    Good: identifies few findings and prompt corrective actions

Cross-framework mappings

How ISM-2096 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially overlaps (1)
Annex A 6.7 ISM-2096 requires mobile devices to enforce separation between organisational and personal applications and data (e.g

Mapping detail

Mapping

Direction

Controls