Guidelines for Discussing Sensitive Information Over Phones
Staff are informed about what sensitive information can be talked about on phone calls.
Plain language
When you're chatting on the phone, it's important to know what sensitive information can be shared. This matters because saying the wrong thing could let the wrong people overhear confidential details, leading to security breaches or data loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Personnel are advised of the permitted sensitivity or classification of information that can be discussed over internal and external telephone systems.
Why it matters
Discussing sensitive or classified information over internal or external phones may lead to unauthorised disclosure and compromise of protective security requirements.
Operational notes
Provide staff briefings and quick-reference guidance on what classifications can be discussed over internal vs external phones, with periodic refreshers.
Implementation tips
- Managers should clearly mark which pieces of information are considered sensitive in their workplace. They can do this by creating a simple guideline document or holding a staff meeting to explain what's okay to discuss over the phone and what's not.
- Supervisors should train employees on how to handle phone calls involving sensitive information. They can set up role-playing sessions to practice these calls, ensuring everyone knows how to manage them effectively and securely.
- IT departments should evaluate the safety measures of internal and external phone systems. This involves checking if existing systems offer encryption or other security features to help keep phone conversations private.
- Human Resources should include phone communication guidelines as part of the onboarding process. New employees should receive a clear list of dos and don'ts regarding what they can discuss on the phone.
- Business owners should conduct regular audits to ensure staff compliance with these guidelines. This can be done by reviewing call procedures and having refreshers or updates when necessary.
Audit / evidence tips
-
Askthe phone communication guidelines: Request the document or email that sets out what is considered sensitive information
Goodwill include specifics about which topics require caution over phone discussions
-
Aska few employees how they handle sensitive information on phone calls and if they received training
Goodis if they correctly identify sensitive information and refer to the guidelines
-
Goodshows that staff understand and can apply the guidelines practically
-
Goodfeatures a recent assessment with noted actions to improve security
-
Goodincludes documented follow-up actions and improved processes
Cross-framework mappings
How ISM-0229 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 6.3 | ISM-0229 requires personnel to be advised what sensitivity or classification of information is permitted to be discussed over internal an... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.