Prevent Unauthorised RF and IR Device Entry
Ensure no unauthorised RF or IR devices are brought into high-security areas.
Plain language
This control is all about making sure that devices that use radio waves or infrared, like certain remote controls or wireless cameras, aren’t accidentally brought into high-security areas by people who aren’t supposed to have them. This matters because these devices can secretly transmit information, which could lead to sensitive data getting into the wrong hands.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Facilities and systemsOfficial control statement
Unauthorised RF and IR devices are not brought into SECRET and TOP SECRET areas.
Why it matters
Unauthorised RF/IR devices entering SECRET/TOP SECRET areas can exfiltrate classified data via wireless links, causing major security compromise.
Operational notes
Screen entrants and bags at SECRET/TOP SECRET access points; prohibit unauthorised RF/IR devices; run periodic RF/IR sweeps and remove detections.
Implementation tips
- Security personnel should conduct regular checks: Security staff should routinely inspect people entering high-security areas to ensure they aren't carrying unauthorised RF and IR devices. Use a list of authorised devices for reference and conduct manual or electronic screenings.
- IT team should update security policies: The IT department should clearly outline in the organisation's security policy which RF and IR devices are allowed in specific security zones. Disseminate this policy to all staff and provide training on identifying and reporting unauthorised devices.
- Managers should educate staff: Managers should organise training sessions to educate employees about which devices are not permitted in sensitive areas and why. Use a presentation or demo to explain the risks these devices pose to security.
- Facilities team should implement signage: Facilities coordinators should put up clear signs at entry points to high-security zones reminding employees and visitors of the prohibition on unauthorised RF and IR devices. Use simple language and visually striking designs for effectiveness.
- Procurement team should manage device purchases: Ensure that all purchases of RF and IR devices are approved by the relevant security authority in the organisation to prevent unauthorised devices from being acquired and inadvertently brought into secure areas.
Audit / evidence tips
-
Asksecurity device screening logs: Request the logs that show the dates and times of security screenings and which devices were identified
Goodincludes consistent records of routine checks and follow-up actions on any incidents
-
Askthe security policy document: Request the written policy covering RF and IR device restrictions
Goodis a comprehensive document, easily understood by staff
-
Askthem to describe the protocol for handling unauthorised devices
Goodincludes accurate recall of the steps and examples of past actions
-
Goodshows thorough checks and correct use of screening technology, if applicable
-
Askrecords of training sessions on security procedures regarding RF and IR devices
Goodincludes documented sessions with clear training outcomes and high attendance rates
Cross-framework mappings
How ISM-0225 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 7.2 | ISM-0225 requires that unauthorised RF and IR devices are not brought into SECRET and TOP SECRET areas to reduce eavesdropping/exfiltrati... | |
| Annex A 7.3 | ISM-0225 mandates preventing unauthorised RF/IR devices from entering SECRET and TOP SECRET areas | |
| link Related (2) expand_less | ||
| Annex A 7.1 | Annex A 7.1 requires security perimeters to be defined and used to protect areas containing information and associated assets | |
| Annex A 7.6 | Annex A 7.6 requires organisations to design and implement security measures to control and protect how people work within secure areas | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.