ISM-2097 policy ASD Information Security Manual (ISM)

Configure Mobile Devices with Always On VPN

Ensure mobile devices have a VPN that is always active to protect data.

Preventative NC OS P ASD Information Security ManualGuidelines for enterprise mobility network security endpoints March 2026 ISM Update

record_voice_over

Plain language

Always On VPN means that your mobile devices are always connected to a secure network, even if you're on public Wi-Fi. This prevents hackers from stealing your information, protecting your business data wherever you and your team are.

01 — Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Mar 2026

Control Stack last updated

24 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for enterprise mobility

Section

Mobile device management

Topic

Maintaining mobile device security

Official control statement

Mobile devices are configured with always on VPN functionality.

policy ASD Information Security Manual (ISM) ISM-2097

priority_high

Why it matters

Without an always-on VPN, sensitive company data can be intercepted on public networks, leading to data breaches or financial loss.

settings

Operational notes

Regularly review VPN logs and ensure the app updates automatically on all devices to maintain security. Stay informed on emerging VPN vulnerabilities.

02 — Implement

build

Implementation tips

IT teams should deploy always-on VPN profiles via MDM (Mobile Device Management) to all organisational mobile devices. Configure the VPN to activate automatically at device boot and prevent users from disabling it.
Network administrators should configure split tunnelling policies carefully — for sensitive environments, route all traffic through the VPN. Test connectivity to ensure business apps function correctly through the tunnel.
IT teams should set up automated monitoring and alerting for VPN connection drops. Use MDM compliance policies to flag devices where the VPN is not running and quarantine non-compliant devices from accessing organisational resources.
System owners should establish a process for VPN certificate/credential rotation and ensure devices receive updated profiles automatically. Plan for VPN gateway redundancy so a single point of failure doesn't disconnect the fleet.
Security teams should regularly test the always-on VPN enforcement by attempting to access the internet or organisational resources with the VPN disabled. Document test results and remediate any bypass methods found.

03 — Audit

fact_check

Audit / evidence tips

Askthe MDM configuration profile: Request the VPN profile deployed to mobile devices Look at'always-on' or 'connect on demand' rules that activate at boot and cannot be user-disabled Goodshows the VPN is enforced at the profile level, not optional
AskVPN connection logs: Request logs from the VPN gateway showing device connections Look atconsistent, uninterrupted sessions during device usage periods Goodshows devices maintaining VPN connections whenever active, with no extended gaps
AskMDM compliance reports: Request device compliance status showing VPN enforcement Look atthe percentage of devices with the VPN profile active and any non-compliant devices flagged Goodshows near-100% compliance with remediation actions for exceptions
Aska live device demonstration: Request a walkthrough on a sample device showing the VPN activates automatically and cannot be turned off by the user Goodshows the VPN connected on boot with the toggle greyed out or hidden
Askthe VPN failover and redundancy plan: Request documentation showing how VPN availability is maintained Look atmultiple VPN gateways, automatic failover, and monitoring alerts Goodshows redundancy measures that prevent devices from falling off VPN due to gateway issues

04 — Mappings

link

Cross-framework mappings

How ISM-2097 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (2) expand_less
Annex A 8.1	ISM-2097 requires mobile devices to use always on VPN to reduce exposure of data and sessions when devices use untrusted networks
Annex A 8.20	ISM-2097 requires mobile devices to be configured with always on VPN so their network traffic is protected in transit regardless of the n...
handshake Supports (1) expand_less
Annex A 5.15	ISM-2097 requires always on VPN on mobile devices to enforce a protected and controlled network path back to organisational services

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.