ISM-2096 policy ASD Information Security Manual (ISM)

Separate Organisational and Personal Mobile Data

Ensure mobile devices keep work and personal apps and data separate.

Preventative NC OS P ASD Information Security ManualGuidelines for enterprise mobility off premises March 2026 ISM Update

record_voice_over

Plain language

This control ensures that work and personal apps and data on mobile devices are kept separate. If you don't do this, sensitive company data can accidentally leak or be accessed by unauthorised users through personal apps.

01 — Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Mar 2026

Control Stack last updated

24 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for enterprise mobility

Section

Mobile device management

Topic

Maintaining mobile device security

Official control statement

Mobile devices are configured to enforce separation between organisational and personal mobile applications and data.

policy ASD Information Security Manual (ISM) ISM-2096

priority_high

Why it matters

Mixing work and personal data on mobile devices can lead to data breaches, regulatory violations, and damage to company reputation.

settings

Operational notes

Regularly remind staff to check they are using work apps only within work profiles to maintain security. Frequent verification of MDM settings helps ensure compliance.

02 — Implement

build

Implementation tips

Managers should require staff to install a work profile on their mobiles. This is independent from their personal profile, ensuring company apps and data stay separate and secure.
IT teams should configure mobile device management (MDM) systems to enforce data separation. This involves setting rules that keep work emails, files, and apps apart from personal ones.
System administrators should provide guidelines and support to staff. They can explain how to install and use company-approved apps in the work profile to prevent data sharing with personal apps.
HR should inform employees during onboarding about the importance of separating work and personal data on mobiles. They can provide easy-to-follow steps and visual guides.
Compliance officers should regularly review device settings to ensure separation rules are applied. They might check settings during routine tech check-ins with staff.

03 — Audit

fact_check

Audit / evidence tips

Askthe mobile management policy documentation. Look to see if it specifies how work and personal data should be kept separate

Goodshows clear processes for ensuring data is not shared between profiles
Look athow many devices have work profiles set up compared to total devices

Goodis a high percentage indicating effective deployment
Aska demonstration on how data separation is enforced on a sample mobile device. Look to see that work and personal apps cannot access each other's data

Goodshows total app and data isolation
Look atattendee lists and training materials

Goodincludes regular training sessions with signed attendance
Askcompliance or audit records checking the effectiveness of data separation

Look atany findings and remediation actions taken

Goodidentifies few findings and prompt corrective actions

04 — Mappings

link

Cross-framework mappings

How ISM-2096 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
sync_alt Partially overlaps (1) expand_less
Annex A 6.7	ISM-2096 requires mobile devices to enforce separation between organisational and personal applications and data (e.g

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.