HomeGuidesApplication & Product Security › AD-03
AD-03 Application & Product Security 6% of OML score

Are company-owned devices clearly separated from personal devices used by employees?

This question asks whether your company clearly keeps work devices (laptops, phones, tablets provided by the company) completely separate from personal devices (employee's own phone or laptop they use outside work). The goal is to make sure company data stays on company devices and personal data stays on personal devices, with no mixing.

Why This Matters to Your Business

When employees use the same device for both work and personal use, company data can easily leak to personal cloud accounts, get left on a device when the employee resigns, or get lost if the device is stolen. For example, a sales executive in Delhi using his personal WhatsApp account AND company WhatsApp Business account on the same phone could accidentally share a customer list to his personal contacts, damaging client trust and exposing you to contract breach lawsuits. If a regulatory audit (like NISM for fintech or GST audits) happens, you won't be able to prove what company data was where, creating compliance problems. Personal devices also introduce uncontrolled security risks—no antivirus, no encryption, no remote lock capability.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You see employees using their personal phones for work emails, personal laptops for accessing company files, and no one knows which device holds what data. There is no written policy about device use.

Level 1
Initial

You have written a simple rule saying employees should use company devices for work, but there is no enforcement—employees still use personal phones during meetings and for email, and you have no way to check what's happening.

Level 2
Developing

You have issued company devices (phones or laptops) to key staff and have a written Bring-Your-Own-Device (BYOD) policy that lists what is and isn't allowed on personal devices. However, you don't actively monitor compliance.

Level 3
Defined

All employees have assigned company devices; your IT person has documented the list and tracks which device goes to whom. You have a BYOD policy, and employees sign a device agreement before receiving equipment.

Level 4
Managed

You use Mobile Device Management (MDM) or endpoint management software to monitor and control what company data can be accessed on personal devices, with automatic remote wipe capability if a device is lost. Compliance is checked quarterly.

Level 5
Optimised

You have fully separated work and personal devices with zero exception; MDM is in place with automatic encryption, remote wipe, and app management; quarterly audits confirm zero non-compliant device usage; and you have insurance covering device loss or theft.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Write and publish a one-page Device Use Policy stating that work email and company files must be accessed only on company devices. Have all employees sign and date it. HR Manager or Business Owner 2-3 days
1 → 2 Create a Bring-Your-Own-Device (BYOD) policy (or personal device policy) that clearly lists what employees CAN and CANNOT do on personal devices (e.g., no company Gmail account, no access to confidential files via VPN from personal phone). Have the IT person review it. HR Manager with IT person review 1 week
2 → 3 Assign and distribute company devices (laptop and/or phone) to all staff who need them. Create a simple Device Register (spreadsheet with device serial number, employee name, date issued, signature). Have employees sign a Device Responsibility Agreement acknowledging they own the device for work only. IT person and HR Manager 2-4 weeks (depends on company size and budget for purchasing devices)
3 → 4 Deploy Mobile Device Management (MDM) software (free or paid tier) to all company devices. Configure it to enforce encryption, require strong passwords, disable personal app stores, and enable remote lock/wipe. Test remote wipe on one device. IT person with possible vendor support 4-6 weeks (planning, deployment, user training)
4 → 5 Establish a quarterly compliance audit process: check MDM reports for non-compliant devices, review device logs for unauthorized personal use, update device inventory, test disaster recovery (remote wipe), and document all findings. Train staff on the latest threats and device security best practices annually. IT person and Compliance Officer (if separate role) Ongoing (4-8 hours per quarter)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Written Device Use Policy or Acceptable Use Policy (AUP) signed by all employees with date
  • Bring-Your-Own-Device (BYOD) Policy document clearly stating what personal devices can and cannot be used for
  • Device Register or Inventory List showing serial number, model, employee name, date issued, and employee signature
  • Device Responsibility or Hardware Agreement signed by each employee confirming they understand the device is for work only and company data must be protected
  • MDM or endpoint management deployment documentation showing all devices enrolled, last compliance check date, and encryption status (if at maturity level 4 or 5)
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Can you show me a list of all company-owned devices currently in use and which employee has each one?"
  • "Do you have a written policy on device use? Can I see it and proof that employees have acknowledged it?"
  • "What happens if an employee tries to use their personal phone to access company email or files? How do you prevent or detect it?"
  • "If an employee leaves the company, how do you ensure company data is removed from their personal device (if they ever accessed it)?"
  • "Are all company devices encrypted and password-protected? Can you demonstrate the security controls on a sample device?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Mobile Device Management (MDM) to enforce encryption, remote lock/wipe, and app control on company devices Nextcloud Deck or Modoboa (self-hosted, requires IT setup); Android Enterprise (basic, Google account-based); Intune free tier (very limited, Microsoft) Microsoft Intune (₹500-1500/device/year), Jamf Now (₹1200-2000/device/year), AirDroid Business (₹800-1200/device/year), VMware Workspace ONE (₹2000-3500/device/year)
Device inventory and asset tracking to maintain a record of which employee has which company device Google Sheets or LibreOffice Calc with device list template Snipe-IT (open-source, self-hosted; free), Insight (asset management, ₹10,000-50,000/year), Jira Service Management (₹7,000-15,000/year)
Policy creation and employee acknowledgment tracking to prove staff have read and agreed to device policies Google Forms for policy acknowledgment + email; Jotform (basic tier) DocuSign (₹20,000-50,000/year), Formstack (₹800-2000/month), BambooHR (includes policy management, ₹1,500-3,500/month)
🛡
How This Makes You More Resilient
When company and personal devices are clearly separated, the damage from a stolen or compromised employee phone is limited to personal data only—your customer lists, financial records, and trade secrets stay safe on secured company devices. If a key employee leaves suddenly or acts with bad intent, you can remotely wipe company data from their device immediately and know exactly what they had access to. You also avoid costly disputes with employees over who owns data on a shared device, and you meet audit expectations from customers and regulators, protecting your reputation and contracts.
⚠️
Common Pitfalls in India
  • Assuming a written policy is enough—employees ignore rules unless you monitor and enforce them actively, especially in Indian startups where informal culture is common and device separation feels like excessive control
  • Providing company devices but allowing employees to install personal apps and accounts without restriction, turning the device into a hybrid that still poses data leak risks
  • Losing track of who has which device, so when someone resigns, you don't know which devices to retrieve or wipe, leading to data in the wild
  • Not planning for device replacement and repair cycles; old devices are passed to new employees without secure wipe of previous data, creating a liability chain
  • Deploying expensive MDM software without user training or a clear support process, leading to employee frustration, workarounds, and eventual non-compliance
  • Ignoring personal devices used for work entirely and only regulating company devices, missing the biggest risk (employee's unsecured phone with company Gmail still poses breach risk)
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (Purpose Limitation and Data Minimization) - Personal data must be processed only for stated purposes; device separation ensures company data is not mixed with personal data, reducing unauthorized processing risk
CERT-In Guidelines 2022 Guideline 2.3 (Device and Media Control) and Guideline 2.4 (Access Control) - Organizations must control access to company devices and ensure personal devices do not have unauthorized access to company data
ISO 27001:2022 Annex A.6.4 (Endpoint Device Security) and Annex A.5.15 (Access Control) - Controls to ensure company assets are protected from unauthorized access and personal device use is managed
NIST CSF 2.0 Govern (GV.RO-01 Governance and Risk Management) and Protect (PR.AC-01 Identity and Access Management) - Device separation is a foundational control for asset and access governance

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →