ACSC programs and advice are being migrated to (see sidebar)

Risk Management of Enterprise Mobility including Bring Your Own Device (BYOD)

Download ACSC Protect: Risk Management of Enterprise Mobility including Bring Your Own Device (BYOD) (PDF), June 2013

Read ACSC Protect: Risk Management of Enterprise Mobility including Bring Your Own Device (BYOD) (HTML), June 2013

Published June 2013


Enterprise mobility enables employees to perform work in specified business-case scenarios using devices such as smartphones, tablets and laptops, while leveraging technologies that facilitate remote access to data. A well-designed enterprise mobility strategy can create opportunities for organisations to securely improve customer service delivery, business efficiency and productivity. Some of these opportunities might permit employees to use their personally-owned devices, referred to as Bring Your Own Device (BYOD).

This document provides senior business representatives with a list of enterprise mobility considerations including business cases, regulatory obligations and legislation, available budget and personnel resources, as well as risk tolerance. Additionally, risk management controls are provided for cyber security practitioners.

This document aims to assist readers to understand and help mitigate the significant risks associated with using devices for work-related purposes that have the potential to expose sensitive data. Risks can be partially mitigated through a policy outlining the permitted use of devices, including the required behaviour expected from employees, which is complemented by technical risk management controls to enforce the policy and detect violations. Organisations must decide whether applying the chosen risk management controls would result in an acceptable level of residual risk.

Further information

This document complements advice in the Australian Government Information Security Manual, ACSC Protect publication BYOD Considerations for Executives and ACSC device-specific hardening guides.

Contact details

Organisations or individuals with questions regarding this advice can contact the ACSC by emailing or calling 1300 CYBER1 (1300 292 371).

In August 2018 ACSC launched a new website,, to reflect its new organisation.

Cyber security programs and advice are being migrated to Information and advice on this site remains current.

Reports help the ACSC to develop a better understanding of the threat environment and will assist other organisations who are also at risk.

Cyber security incident reports are also used in aggregate for developing new defensive policies, procedures, techniques and training measures to help prevent future incidents.

Information for Australian businesses
Information for individual Australian citizens
Information for Federal, State and Local government agencies