Skip to content
Control Stack logo Control Stack
ISM-2098 ASD Information Security Manual (ISM)

Prevent Data Transfer Over USB on Mobile Devices

Mobile devices must be set to stop data from being transferred via USB connections.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGuidelines for enterprise mobilityonsite behaviourMarch 2026 ISM Update

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Mar 2026

✏️ Control Stack last updated

23 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for enterprise mobility

Section

Mobile Device Security

Topic

Maintaining Mobile Device Security
Official control statement
Mobile devices are configured to prevent data transfers over Universal Serial Bus connections.

Source: ASD Information Security Manual (ISM)

Plain language

This control means setting up mobile devices so that no data can be transferred through USB connections. It's important because if a device is lost or stolen, sensitive data could be easily accessed through USB ports, risking privacy breaches and data theft.

Why it matters

If USB data transfers are not restricted, stolen or lost mobile devices could result in sensitive data breaches and privacy violations.

Operational notes

Regularly review and update device settings to ensure ongoing compliance with USB data transfer restrictions, reflecting any policy changes.

Implementation tips

  • IT teams should enforce USB data transfer restrictions via MDM (Mobile Device Management) profiles pushed to all organisational mobile devices. Configure the USB policy to 'charge only' mode so users cannot override the setting locally.
  • Network administrators should block USB debugging and file transfer protocols at the MDM policy level for both Android (MTP/PTP disabled) and iOS (supervised mode with USB restricted mode enabled). Test on sample devices to confirm data transfer is blocked.
  • IT teams should set up MDM compliance checks that flag any device where USB data transfer is not in 'charge only' mode. Non-compliant devices should be automatically quarantined from accessing organisational resources until remediated.
  • Security teams should periodically test the USB restriction by attempting to transfer files from a sample device via USB cable to a computer. Document test results and remediate any bypass methods discovered.
  • System owners should ensure the USB restriction policy covers all device types in the fleet (iOS, Android, and any ruggedised devices). Review the policy when new device models are introduced to confirm MDM profiles enforce the restriction correctly.

Audit / evidence tips

  • Ask: the mobile device security policy: Request documentation that outlines the USB data transfer restrictions

    Look at: specific guidelines that mandate USB restriction settings on all mobile devices

    Good: is a clear, detailed policy document with USB restrictions included

  • Ask: to see the configuration records: Request a log or report showing USB settings on mobile devices. Check the records to confirm that USB data transfer is disabled on all listed devices

    Good: will show all devices with USB data transfer settings configured as 'off'

  • Ask: a demonstration: Request to be shown how USB settings are disabled on a sample device. Check the actual device settings to verify USB data transfer is set to charge only

    Good: is a real-time demonstration clearly showing these settings on the device

  • Ask: training materials: Request the materials used to train staff on this control

    Look at: content highlighting the risks of USB data transfer and correct settings guidance

    Good: includes clear, relevant training content with a focus on USB risks

  • Ask: employee acknowledgements: Request records showing employee acknowledgment of USB data transfer policies. Check for signatures or checkboxes indicating understanding of and compliance with the policy

    Good: includes acknowledgments from all relevant employees, stored securely

Cross-framework mappings

How ISM-2098 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (2)
Annex A 5.14 ISM-2098 requires mobile devices to be configured so data cannot be transferred over USB connections
Annex A 5.15 ISM-2098 requires mobile devices to be configured so data cannot be transferred over USB connections
Supports (1)
Annex A 6.7 ISM-2098 requires mobile devices to be configured so data cannot be transferred over USB connections

Mapping detail

Mapping

Direction

Controls