Restrict Personal Information Viewing Online
Encourage personnel to apply the privacy settings available on online services so they control who can view the personal information they post.
Plain language
This control asks your organisation to encourage staff to lock down the privacy settings on the online services they use personally, so that not just anyone can see the personal details they post. It is an awareness measure, not a hard technical rule: the organisation cannot configure someone's personal social media account, so the goal is to make people aware of the settings and motivate them to use them. The reason it matters is that personal details staff share publicly (job title, employer, location, travel, relationships) are exactly what an attacker harvests to craft a convincing spear-phishing message or impersonation aimed at your organisation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
June 2026
Control Stack last updated
19 June 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Personnel are encouraged to use any available privacy settings to restrict who can view personal information they post on online services.
Why it matters
If personnel are not encouraged to restrict who sees their posts, they over-share personal details (role, employer, projects, location, schedule, contacts) on public profiles, handing attackers the raw material to research staff and craft targeted social engineering and spear-phishing against the organisation, as well as convincing impersonation of colleagues.
Operational notes
Because this is an encouragement control, keep the guidance current and easy to act on rather than treating it as a one-off rule: online services change their privacy controls and default visibility frequently, so refresh the advice when major platforms (for example LinkedIn, Facebook, Instagram, X) alter their settings. Fold the message into existing cyber security awareness activity and reinforce it for higher-risk staff such as executives and those whose roles are publicly identifiable. Frame it around the specific over-sharing that aids attackers (employer, role, work location, travel, who they report to) rather than vague "be careful online" wording. Respect that these are personal accounts, so the organisation guides and reminds but does not mandate or audit individual settings.
Implementation tips
- Add a section to your cyber security awareness training that encourages personnel to restrict who can view the personal information they post, and tie it directly to how over-sharing fuels spear-phishing of the organisation.
- Produce a short, plain-English quick-reference that walks staff through finding and tightening the audience/visibility settings on the platforms they most use (for example LinkedIn, Facebook, Instagram, X), with the exact menu paths.
- Give staff a concrete list of details worth keeping private or limited (employer, exact role, work location, travel plans, project names, reporting line, work email and phone) so the encouragement is specific rather than vague.
- Send periodic reminders through your normal awareness channels (intranet, newsletter, all-staff email) prompting personnel to review and update who can see their posts.
- Refresh the guidance whenever a major platform changes its privacy controls or default visibility, and republish the quick-reference so the steps stay accurate.
- Provide tailored, opt-in encouragement for higher-exposure personnel such as executives and public-facing staff, since their personal details are the most valuable to attackers.
Audit / evidence tips
- Confirm the cyber security awareness material explicitly encourages personnel to use available privacy settings to restrict who can view the personal information they post, and that this maps to the wording of the control.
- Inspect the platform-specific guidance and confirm it actually shows how to reach and apply the visibility/privacy controls on the services staff commonly use, rather than just saying 'use privacy settings'.
- Confirm the guidance is kept current by checking the change log or revision dates against recent privacy-setting changes on major online services.
- Confirm the encouragement reaches personnel by reviewing delivery records (training completion, distribution lists or intranet publication) covering the relevant population.
- Confirm the messaging connects over-sharing to the organisational risk (social engineering and spear-phishing) so the encouragement targets the personal details attackers exploit.
- Confirm the control is treated as encouragement of personal-account settings and has not been overstated into mandatory enforcement or monitoring of staff personal profiles.
Cross-framework mappings
How ISM-2107 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 6.3 | ISM-2107 encourages personnel to actively configure privacy settings on online services to restrict who can view personal information the... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.34 | ISM-2107 encourages personnel to use privacy settings on online services to restrict who can view personal information they post | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.