Advise Staff to Limit Posting Work Information on Unauthorised Online Services
Staff are told to limit posting information about their work duties on unauthorised online services and to report any cases where such information is posted.
Plain language
This control is about getting your people to be careful what they say about their job on websites, apps and social media that your organisation has not approved (called unauthorised online services). Details about your work, projects or systems can be pieced together by criminals or competitors to target your organisation. So staff should keep work information off these services, and tell someone if they spot work information that has been posted.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
June 2026
Control Stack last updated
18 June 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Personnel are advised to limit posting information about their work-related duties on unauthorised online services, and to report cases where such information is posted.
Why it matters
If staff freely post work details on unapproved sites, attackers can harvest those details to impersonate people, craft convincing scams, or target the organisation's systems.
Operational notes
Keep the advice and reporting route fresh by repeating it at least yearly and before high-exposure events, and review reported cases to spot recurring oversharing habits.
Implementation tips
- The owner or manager writes a short, plain-English rule stating that staff must not post information about their work duties on online services the organisation has not approved, and lists common examples such as social media, forums and personal blogs.
- The person running staff induction explains the rule to every new starter and to existing staff at least once a year, using real examples of what is and is not safe to post about their job.
- Whoever handles staff communications sets up a simple, well-known way to report posted work information (for example one email address or a contact person) and tells everyone how to use it.
- A nominated person keeps a brief record of any reports received, what work information was posted and where, and what was done to have it removed or contained.
- The manager periodically reminds staff of the rule, especially before and during high-risk periods such as a major project, a tender, or a public announcement, so the message stays front of mind.
Audit / evidence tips
- Askto see the written guidance or policy that advises staff to limit posting work-related information on unauthorised online services Look atwhether it clearly names the behaviour expected and gives examples Goodis a current, signed-off document that staff can easily find and understand
- Askhow and when staff are made aware of this advice Look atinduction materials, training slides or intranet notices and their dates Goodshows the advice is delivered at onboarding and refreshed regularly, with records of who received it
- Askwhat the reporting process is when work information is found posted online Look atthe named contact, email address or form used to report it Goodis a single, simple route that every staff member can describe without hesitation
- Askthe log or record of reported cases over the last 12 months Look atwhether reports were captured, assessed and acted on Goodshows entries with dates, what was posted, and the follow-up action taken (even if the answer is 'no reports', staff can still explain how they would report)
- Askstaff directly what they would do if they saw a colleague post details about a current project online Look atwhether their answer matches the policy Goodis that they know not to post such information themselves and know exactly who to tell
Cross-framework mappings
How ISM-2105 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (4) expand_less | ||
| Annex A 5.1 | ISM-2105 requires a specific piece of personnel guidance about not posting work-duty information on unauthorised services and reporting o... | |
| Annex A 5.4 | ISM-2105 requires that personnel are advised about specific secure behaviour regarding posting work information to unauthorised online se... | |
| Annex A 5.10 | ISM-2105 requires personnel to limit posting information about their work-related duties on unauthorised online services and to report wh... | |
| Annex A 6.3 | ISM-2105 requires personnel to be advised to limit posting work-related duties on unauthorised online services and to report cases where ... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 6.8 | ISM-2105 requires personnel to report cases where work-related duty information is posted on unauthorised online services | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.