Advising on Risks of Non-Secure Telephone Systems
Staff are informed about security dangers of using unsecured phones for sensitive talks.
Plain language
This control is about making sure your team knows the potential risks of discussing sensitive information over non-secure phone lines. It's like knowing not to yell out private information in a crowded room. If you don't, someone could overhear these conversations and misuse the information, leading to data breaches or damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2018
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur.
Why it matters
Using non-secure phones for sensitive or classified calls can enable eavesdropping, leading to unauthorised disclosure of protected information.
Operational notes
Regularly remind staff not to discuss sensitive or classified topics on non-secure phone lines; use approved secure telephony where available.
Implementation tips
- Manager should develop a communication policy: Clearly outline situations where secure communications are needed and specify when not to use standard phone lines. Share this policy with all staff during training sessions.
- HR should provide employee training: Conduct regular sessions to educate staff on the risks of using unsecured phones for sensitive talks. Use real-world examples to show how leaks can occur.
- IT team should evaluate phone systems: Identify if the existing telephone system can be configured for better security or if secure lines need to be established. Look into options like encrypted phone lines or secure VoIP services.
- Office manager should establish secure areas: Designate specific rooms or areas where sensitive calls can be taken using secure lines. Ensure these areas are marked clearly and access is controlled.
- Compliance officer should perform regular checks: Keep track of how often secure communication procedures are followed and remind staff of the importance of these practices in periodic updates.
Audit / evidence tips
- AskThe communication policy document: Request the organisation’s policy outlining when to use secure lines for sensitive calls GoodPolicy is well-documented, easy to understand, and readily accessible to staff
- AskA sample of employees about the training they've received regarding secure phone use GoodIs that staff are aware and can recall key points from training
- GoodList matches what you see on a walk-through
- GoodConfiguration includes encryption settings actively in use
- GoodLog shows consistent monitoring and corrective actions
Cross-framework mappings
How ISM-0230 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 6.3 | ISM-0230 requires personnel to be advised of the security risks of using non-secure telephone systems in areas where sensitive or classif... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.