Prevent Unauthorised RF and IR Device Entry
Ensure no unauthorised RF or IR devices are brought into high-security areas.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
S, TS
🗓️ ISM last updated
Aug 2021
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Unauthorised RF and IR devices are not brought into SECRET and TOP SECRET areas.
Source: ASD Information Security Manual (ISM)
Plain language
This control is all about making sure that devices that use radio waves or infrared, like certain remote controls or wireless cameras, aren’t accidentally brought into high-security areas by people who aren’t supposed to have them. This matters because these devices can secretly transmit information, which could lead to sensitive data getting into the wrong hands.
Why it matters
Unauthorised RF/IR devices entering SECRET/TOP SECRET areas can exfiltrate classified data via wireless links, causing major security compromise.
Operational notes
Screen entrants and bags at SECRET/TOP SECRET access points; prohibit unauthorised RF/IR devices; run periodic RF/IR sweeps and remove detections.
Implementation tips
- Security personnel should conduct regular checks: Security staff should routinely inspect people entering high-security areas to ensure they aren't carrying unauthorised RF and IR devices. Use a list of authorised devices for reference and conduct manual or electronic screenings.
- IT team should update security policies: The IT department should clearly outline in the organisation's security policy which RF and IR devices are allowed in specific security zones. Disseminate this policy to all staff and provide training on identifying and reporting unauthorised devices.
- Managers should educate staff: Managers should organise training sessions to educate employees about which devices are not permitted in sensitive areas and why. Use a presentation or demo to explain the risks these devices pose to security.
- Facilities team should implement signage: Facilities coordinators should put up clear signs at entry points to high-security zones reminding employees and visitors of the prohibition on unauthorised RF and IR devices. Use simple language and visually striking designs for effectiveness.
- Procurement team should manage device purchases: Ensure that all purchases of RF and IR devices are approved by the relevant security authority in the organisation to prevent unauthorised devices from being acquired and inadvertently brought into secure areas.
Audit / evidence tips
-
Ask: security device screening logs: Request the logs that show the dates and times of security screenings and which devices were identified
Good: includes consistent records of routine checks and follow-up actions on any incidents
-
Ask: the security policy document: Request the written policy covering RF and IR device restrictions
Good: is a comprehensive document, easily understood by staff
-
Ask: them to describe the protocol for handling unauthorised devices
Good: includes accurate recall of the steps and examples of past actions
-
Good: shows thorough checks and correct use of screening technology, if applicable
-
Ask: records of training sessions on security procedures regarding RF and IR devices
Good: includes documented sessions with clear training outcomes and high attendance rates
Cross-framework mappings
How ISM-0225 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 7.2 | ISM-0225 requires that unauthorised RF and IR devices are not brought into SECRET and TOP SECRET areas to reduce eavesdropping/exfiltrati... | |
| Annex A 7.3 | ISM-0225 mandates preventing unauthorised RF/IR devices from entering SECRET and TOP SECRET areas | |
| Supports (1) | ||
| Annex A 7.1 | Annex A 7.1 requires organisations to define and use physical security perimeters to protect areas containing information and associated ... | |
| Related (1) | ||
| Annex A 7.6 | Annex A 7.6 requires security measures to be designed and implemented for working in secure areas to protect activities and information | |