Ensure Encryption for Sensitive Cordless Communications
Do not use cordless phones or headsets for sensitive calls unless the communications are encrypted.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2023
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for communications systemsSection
Telephone systemsCordless telephone handsets and headsets are not used for sensitive or classified conversations unless all communications are encrypted.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure that any sensitive conversations you have using cordless phones or headsets are kept private by using encryption. Without encryption, someone nearby with the right equipment could eavesdrop on your calls, potentially exposing confidential business or personal information.
Why it matters
If cordless handsets/headsets are used without encryption, attackers can intercept conversations and expose sensitive or classified information.
Operational notes
Verify cordless phones/headsets use approved encryption; prohibit sensitive/classified calls on devices that cannot encrypt end-to-end.
Implementation tips
- IT team should ensure that only encrypted devices are used: Work with a technology partner or supplier to find phones and headsets that offer encryption for wireless communications. Verify with the vendor that the specific models are built to keep conversations secure.
- System owners should train staff on encryption needs: Educate employees about the risks of using non-encrypted cordless devices for sensitive conversations. Hold a short workshop to explain how encryption helps protect privacy.
- Procurement should specify encryption requirements: When purchasing new cordless communication devices, include a requirement for encryption in your procurement documents. Ensure suppliers confirm compliance in their bids.
- Managers should regularly review device use: Check in with staff during regular meetings to confirm they understand and are using encrypted devices as directed. Remind them why this is important for your company's security.
- IT support should configure devices: Once devices are purchased, the IT team should handle setup to ensure encryption features are activated. Set clear steps in a configuration guide and keep it updated for reference.
Audit / evidence tips
-
Ask: a list of devices used for sensitive communications: Request documentation listing each cordless phone or headset approved for such use
Good: a comprehensive list showing only encrypted device models in use
-
Ask: how they ensure devices remain secure and updated
Good: includes regular maintenance routines and tested update processes
-
Good: recent training with clear training objectives achieved
-
Good: all devices configured with security measures enabled from the start
-
Good: procurement specs explicitly requiring encryption and suppliers acknowledging this
Cross-framework mappings
How ISM-0233 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.24 | ISM-0233 requires that cordless telephone handsets and headsets are not used for sensitive or classified conversations unless the communi... | |
| Supports (1) | ||
| Annex A 5.12 | ISM-0233 mandates encryption (or non-use) of cordless handsets/headsets for sensitive or classified conversations | |