Ensure Encryption for Sensitive Cordless Communications
Do not use cordless phones or headsets for sensitive calls unless the communications are encrypted.
Plain language
This control is about making sure that any sensitive conversations you have using cordless phones or headsets are kept private by using encryption. Without encryption, someone nearby with the right equipment could eavesdrop on your calls, potentially exposing confidential business or personal information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsSection
Telephone systemsOfficial control statement
Cordless telephone handsets and headsets are not used for sensitive or classified conversations unless all communications are encrypted.
Why it matters
If cordless handsets/headsets are used without encryption, attackers can intercept conversations and expose sensitive or classified information.
Operational notes
Verify cordless phones/headsets use approved encryption; prohibit sensitive/classified calls on devices that cannot encrypt end-to-end.
Implementation tips
- IT team should ensure that only encrypted devices are used: Work with a technology partner or supplier to find phones and headsets that offer encryption for wireless communications. Verify with the vendor that the specific models are built to keep conversations secure.
- System owners should train staff on encryption needs: Educate employees about the risks of using non-encrypted cordless devices for sensitive conversations. Hold a short workshop to explain how encryption helps protect privacy.
- Procurement should specify encryption requirements: When purchasing new cordless communication devices, include a requirement for encryption in your procurement documents. Ensure suppliers confirm compliance in their bids.
- Managers should regularly review device use: Check in with staff during regular meetings to confirm they understand and are using encrypted devices as directed. Remind them why this is important for your company's security.
- IT support should configure devices: Once devices are purchased, the IT team should handle setup to ensure encryption features are activated. Set clear steps in a configuration guide and keep it updated for reference.
Audit / evidence tips
-
Aska list of devices used for sensitive communications: Request documentation listing each cordless phone or headset approved for such use
Gooda comprehensive list showing only encrypted device models in use
-
Askhow they ensure devices remain secure and updated
Goodincludes regular maintenance routines and tested update processes
-
Goodrecent training with clear training objectives achieved
-
Goodall devices configured with security measures enabled from the start
-
Goodprocurement specs explicitly requiring encryption and suppliers acknowledging this
Cross-framework mappings
How ISM-0233 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-0233 requires that cordless telephone handsets and headsets are not used for sensitive or classified conversations unless the communi... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.12 | ISM-0233 mandates encryption (or non-use) of cordless handsets/headsets for sensitive or classified conversations | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.