ISM-2099 policy ASD Information Security Manual (ISM)

Prevent Connection of Mobile Devices to Infotainment

Do not link mobile phones to car infotainment systems.

Preventative NC OS P ASD Information Security ManualGuidelines for enterprise mobility devices March 2026 ISM Update

record_voice_over

Plain language

This control stops mobile phones from connecting to car infotainment systems. If phones are connected, sensitive data could be accessed by hackers if a car's system is not secure. It’s important because it helps protect personal and business data from being compromised while driving.

01 — Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Mar 2026

Control Stack last updated

24 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for enterprise mobility

Section

Mobile device usage

Topic

Connecting mobile devices to connected vehicles

Official control statement

Mobile devices are not connected to the infotainment systems of connected vehicles.

policy ASD Information Security Manual (ISM) ISM-2099

priority_high

Why it matters

Failing to prevent mobile connections to car infotainment systems increases the risk of unauthorised access to sensitive information.

settings

Operational notes

Regularly communicate and reinforce policy to prevent employees from connecting devices to vehicles, ensuring ongoing compliance and security.

02 — Implement

build

Implementation tips

IT teams should configure MDM policies to prevent organisational mobile devices from pairing with vehicle infotainment systems. On iOS this can be enforced via supervised mode restricting CarPlay; on Android, MDM profiles can block specific Bluetooth device classes (audio/video).
Fleet managers should ensure company vehicles have their infotainment pairing history cleared and, where possible, disable the ability to pair new devices. Document which vehicles have been configured and maintain a review schedule.
Managers should create a clear policy stating organisational mobile devices must not be connected to vehicle infotainment systems via Bluetooth, USB, or wireless projection (CarPlay/Android Auto). Communicate this through team meetings and written guidance.
HR should include connected vehicle risks in security awareness training, explaining how infotainment systems can sync contacts, messages, and call history from paired devices — creating a data leakage path that persists after the device is disconnected.
Security teams should periodically audit vehicle infotainment systems for evidence of organisational device pairings. Check paired device lists in company fleet vehicles and document findings, escalating any policy violations for remediation.

03 — Audit

fact_check

Audit / evidence tips

Askthe policy document outlining mobile device restrictions in vehicles. Review it to confirm it specifically mentions disabling infotainment connections

Goodincludes a dated policy with management approval
Look atsession dates, attendance, and topics covered, such as risks of mobile connections to cars. Good records should be up-to-date and comprehensive
Askthe fleet manager for the vehicle checklist that includes infotainment security settings. Ensure that items like Bluetooth and USB connection restrictions are included. Good documentation should be detailed and regularly updated
Look ata log of inspections or a checklist verifying that infotainment settings are secure. A well-maintained log shows regular, consistent checks
Askmeeting minutes from team discussions on the policy. Check for notes that mention mobile device policies and specific actions taken for enforcement. Good meeting records should indicate active involvement and adherence to the policy

04 — Mappings

link

Cross-framework mappings

How ISM-2099 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

link_off

No cross-framework mappings recorded yet.