ISM-2098 policy ASD Information Security Manual (ISM)

Prevent Data Transfer Over USB on Mobile Devices

Mobile devices must be set to stop data from being transferred via USB connections.

Preventative NC OS P ASD Information Security ManualGuidelines for enterprise mobility onsite behaviour March 2026 ISM Update

record_voice_over

Plain language

This control means setting up mobile devices so that no data can be transferred through USB connections. It's important because if a device is lost or stolen, sensitive data could be easily accessed through USB ports, risking privacy breaches and data theft.

01 — Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Mar 2026

Control Stack last updated

24 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for enterprise mobility

Section

Mobile device management

Topic

Maintaining mobile device security

Official control statement

Mobile devices are configured to prevent data transfers over Universal Serial Bus connections.

policy ASD Information Security Manual (ISM) ISM-2098

priority_high

Why it matters

If USB data transfers are not restricted, stolen or lost mobile devices could result in sensitive data breaches and privacy violations.

settings

Operational notes

Regularly review and update device settings to ensure ongoing compliance with USB data transfer restrictions, reflecting any policy changes.

02 — Implement

build

Implementation tips

IT teams should enforce USB data transfer restrictions via MDM (Mobile Device Management) profiles pushed to all organisational mobile devices. Configure the USB policy to 'charge only' mode so users cannot override the setting locally.
Network administrators should block USB debugging and file transfer protocols at the MDM policy level for both Android (MTP/PTP disabled) and iOS (supervised mode with USB restricted mode enabled). Test on sample devices to confirm data transfer is blocked.
IT teams should set up MDM compliance checks that flag any device where USB data transfer is not in 'charge only' mode. Non-compliant devices should be automatically quarantined from accessing organisational resources until remediated.
Security teams should periodically test the USB restriction by attempting to transfer files from a sample device via USB cable to a computer. Document test results and remediate any bypass methods discovered.
System owners should ensure the USB restriction policy covers all device types in the fleet (iOS, Android, and any ruggedised devices). Review the policy when new device models are introduced to confirm MDM profiles enforce the restriction correctly.

03 — Audit

fact_check

Audit / evidence tips

Askthe mobile device security policy: Request documentation that outlines the USB data transfer restrictions Look atspecific guidelines that mandate USB restriction settings on all mobile devices Goodis a clear, detailed policy document with USB restrictions included
Askto see the configuration records: Request a log or report showing USB settings on mobile devices. Check the records to confirm that USB data transfer is disabled on all listed devices Goodwill show all devices with USB data transfer settings configured as 'off'
Aska demonstration: Request to be shown how USB settings are disabled on a sample device. Check the actual device settings to verify USB data transfer is set to charge only Goodis a real-time demonstration clearly showing these settings on the device
Asktraining materials: Request the materials used to train staff on this control Look atcontent highlighting the risks of USB data transfer and correct settings guidance Goodincludes clear, relevant training content with a focus on USB risks
Askemployee acknowledgements: Request records showing employee acknowledgment of USB data transfer policies. Check for signatures or checkboxes indicating understanding of and compliance with the policy Goodincludes acknowledgments from all relevant employees, stored securely

04 — Mappings

link

Cross-framework mappings

How ISM-2098 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (2) expand_less
Annex A 5.14	ISM-2098 requires mobile devices to be configured so data cannot be transferred over USB connections
Annex A 5.15	ISM-2098 requires mobile devices to be configured so data cannot be transferred over USB connections
handshake Supports (1) expand_less
Annex A 6.7	ISM-2098 requires mobile devices to be configured so data cannot be transferred over USB connections

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.