Do Not Post Security Clearance and Briefing Details Online
Staff are told not to post their security clearance or briefing details on unapproved online services and to report it when such information appears.
Plain language
This control is about keeping details of your security clearance and any security briefings off websites, apps and social media that your organisation has not approved. If someone reveals what level of clearance they hold or what they were briefed on, it can tell outsiders who to target and what secrets your organisation holds. Staff also need to speak up and report it whenever they notice this kind of information has been posted, whether by themselves or someone else.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
June 2026
Control Stack last updated
18 June 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Personnel are advised not to post information about their security clearance and briefings on unauthorised online services, and to report cases where such information is posted.
Why it matters
If staff post their security clearance or briefing details on unapproved sites, attackers learn who holds sensitive access and what secrets exist, making them prime targets for social engineering or espionage.
Operational notes
Reinforce the rule whenever briefings are held and review reported cases periodically to confirm postings are removed and lessons are fed back into awareness training.
Implementation tips
- The security manager should write a short, plain-English rule that states personnel must not post their security clearance level or details of any security briefings on unauthorised online services, and should include this rule in the staff handbook and induction pack.
- The awareness training team should add a specific module showing real examples of what counts as a security clearance or briefing detail (for example posting 'just got my Secret clearance' on a public profile) so staff recognise what they must not share.
- The IT or security team should set up a simple, well-publicised reporting channel (such as a dedicated email address or an item on the helpdesk form) so anyone who spots clearance or briefing information posted online can report it quickly.
- Line managers should remind their teams before and after any security briefing that the content of that briefing must not be discussed or posted on unapproved websites, apps or social media.
- The HR team should have new starters who hold a clearance sign an acknowledgement that they understand they must not post clearance or briefing details online and that they will report any cases they see.
Audit / evidence tips
- Askthe written policy or staff guidance that tells personnel not to post security clearance and briefing details on unauthorised online services Look atwhether it names clearance level and briefing content specifically and whether it is easy for staff to find Goodis a current, approved document that clearly states the rule and where it lives
- Askhow staff are made aware of this rule Look atinduction materials, awareness training slides and any signed acknowledgements Goodshows the rule is taught with concrete examples and that staff have confirmed they understand it
- Askhow someone reports a case where clearance or briefing information has been posted online Look atthe reporting channel (email address, form or hotline) and whether staff actually know it exists Goodis a named, monitored channel that staff can describe without hesitation
- Askto see records of any reports that have been made and what happened next Look atthe log of reported postings and the actions taken to get them removed or escalated Goodshows reports are captured, acted on promptly and closed out
- Askhow the organisation defines an 'unauthorised' online service versus an approved one Look atany list of approved platforms or guidance distinguishing the two Goodmakes the boundary clear enough that staff know what is and is not allowed
Cross-framework mappings
How ISM-2104 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 6.3 | ISM-2104 provides a specific piece of security guidance: do not post security clearance and briefing details online and report if it occurs | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.10 | ISM-2104 requires personnel not to post security clearance and briefing details on unauthorised online services and to report when this o... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.26 | ISM-2104 directs personnel behaviour to prevent disclosure of security clearance/briefing details and requires reporting when such disclo... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.