Encrypt External Traffic for Sensitive Calls
Sensitive phone calls should be encrypted to prevent eavesdropping when using outside systems.
Plain language
This control is about making sure that any phone conversations involving sensitive information, like confidential business discussions or private client details, are protected from eavesdropping. This is important because if someone manages to listen in, they could misuse the information for financial gain or cause damage by leaking private details.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2018
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsSection
Telephone systemsTopic
Protecting ConversationsOfficial control statement
Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems.
Why it matters
Without encrypting external calls, sensitive conversations can be intercepted, risking exposure of confidential data and potential business losses.
Operational notes
Regularly verify external call encryption (e.g., SIP over TLS and SRTP) on trunks and gateways, and confirm no fallback to unencrypted signalling or media.
Implementation tips
- Managers should ensure that all external phone calls involving sensitive information are made using systems that encrypt the call data. This can be done by choosing a phone service provider that offers encryption for voice calls.
- The IT team should configure the phone systems so that encryption is automatically applied to all outgoing calls. This could involve setting up the system to use specific protocols or software that supports encrypted calls.
- Procurement should prioritise vendors for phone systems that guarantee end-to-end encryption for calls and ensure that the vendors comply with Australian data protection laws.
- Office managers should conduct regular training sessions for staff to highlight the importance of using secure, encrypted communication methods for sensitive calls. Use examples of potential breaches to make the impact clear.
- System owners should periodically review the encryption policies and practices of service providers to ensure they are up-to-date. This can involve consulting with the provider’s service agreement or security documentation to confirm compliance.
Audit / evidence tips
- AskA list of systems used for voice communications: Ensure the systems mentioned have encryption capabilities GoodIncludes confirmation that all systems used for sensitive calls support encryption
- AskThem to describe how encryption is implemented and checked GoodInvolves specific mention of tools or protocols, such as Secure/Multipurpose Internet Mail Extensions (S/MIME) or Transport Layer Security (TLS)
- GoodIs a visible confirmation of encryption during the call
- AskTo see the materials used to educate staff about secure communications and look for attendance logs GoodShows regular training sessions outreach to all users handling sensitive information
- GoodIncludes a signed contract detailing such terms
Cross-framework mappings
How ISM-0232 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-0232 requires telephone systems used for sensitive or classified conversations to encrypt all traffic when it traverses external syst... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.