Advise Staff to Limit Posting Work Skills Online
Advise staff to limit posting their work-related skills and experience on unauthorised online services, and to report cases where such information is posted.
Plain language
This control is about telling your staff not to share too much about their work-related skills and experience on online services your organisation has not approved, such as personal social media or job-listing sites. The concern is that attackers study these posts to work out who does what in your organisation and then target them with scams or social engineering. Staff should also let someone know if they spot this kind of information already posted online.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
June 2026
Control Stack last updated
18 June 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Personnel are advised to limit posting information about their work-related skills and experience on unauthorised online services, and to report cases where such information is posted.
Why it matters
Over-shared work details on public online services let attackers identify key staff and craft targeted scams or social engineering, increasing the chance of a successful breach.
Operational notes
Repeat this advice regularly through onboarding and refreshers, and keep the reporting channel simple and visible so staff actually use it when they spot exposed information.
Implementation tips
- The person responsible for security awareness should add a clear rule to the staff handbook or acceptable use policy stating that personnel must limit how much work-related skill and experience detail they post on online services the organisation has not authorised.
- Managers should explain to their teams, in plain terms, why this matters: attackers read public profiles and posts to identify who holds sensitive roles and then craft targeted scams, so over-sharing job details creates a real risk.
- Whoever runs staff onboarding should cover this advice when new starters join, giving practical examples such as keeping detailed descriptions of internal systems, projects, or security tools out of public profiles and posts.
- The security or IT contact should set up a simple, well-publicised way for staff to report when they find work-related information posted on unauthorised online services, for example an email address or a line in the incident reporting form.
- The security awareness lead should reinforce the message periodically through reminders, posters, or short refresher sessions, rather than relying on a single one-off briefing that staff soon forget.
Audit / evidence tips
- Askto see the policy or guidance that advises personnel to limit posting work-related skills and experience on unauthorised online services Look atwhether it is written down and accessible to staff Goodis a current policy or handbook section that states this advice clearly and explains why
- Askhow staff are made aware of this advice Look atonboarding materials, awareness training content, or reminder communications Goodshows the advice is delivered to everyone and repeated over time, not buried in a document no one reads
- Askwhat process exists for staff to report cases where such information has been posted online Look atthe reporting channel, such as an email address, form, or helpdesk option Goodis a simple, known route that staff can actually use and point to
- Askexamples of reports that have been received and what happened next Look atrecords showing the report was logged and acted on Gooddemonstrates the reporting channel is genuinely used and followed up, not just theoretical
- Askhow the organisation checks that staff understand the advice Look attraining completion records, quiz results, or acknowledgement sign-offs Goodshows measurable evidence that personnel have received and accepted the guidance
Cross-framework mappings
How ISM-2106 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.10 | ISM-2106 requires advising staff not to disclose work skills/experience on unauthorised online services and to report when it occurs | |
| Annex A 6.3 | ISM-2106 requires personnel to be advised to limit posting work-related skills and experience on unauthorised online services and to repo... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.26 | ISM-2106 requires staff to report cases where work-related skills and experience are posted on unauthorised online services | |
| handshake Supports (1) expand_less | ||
| Annex A 5.1 | ISM-2106 requires personnel to be advised to limit posting work-related skills and experience on unauthorised online services and to repo... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.