Implement Off-hook Audio Protection on Telephones
Use features to prevent phone conversations being heard in sensitive areas.
Plain language
This control is about making sure that phone conversations in areas with sensitive or classified information can't be accidentally overheard when a phone is left off the hook. If this isn't managed, confidential discussions could be listened to by unauthorised people, risking privacy breaches and potential leaks of sensitive data.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
07 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsSection
Telephone systemsOfficial control statement
Off-hook audio protection features are used on telephone systems in areas where background conversations may exceed the sensitivity or classification that the telephone system is authorised for communicating.
Why it matters
Without off-hook audio protection, sensitive nearby conversations may be picked up by off-hook handsets and disclosed beyond the phone system’s authorised classification.
Operational notes
Regularly test off-hook audio protection on handsets/speakerphones in high-risk areas and document results, fixing or disabling devices that can capture room conversations.
Implementation tips
- IT team should install off-hook audio protection features: This involves configuring the phone systems to automatically mute the microphone when the handset is off the hook but not in active use. Use the phone system's settings to activate this feature or consult the manual for guidance.
- Procurement should ensure new phone systems include audio protection features: When buying new phones, specify models that include off-hook audio protection capabilities. Check product specifications or ask vendors about these features before purchase.
- Office managers should provide training sessions: Arrange short training sessions for staff on the importance of off-hook audio protection and how to use it. Demonstrate how to check if off-hook protection is enabled on the phone and what actions to take if they suspect it's not.
- System administrator should regularly test the feature: Conduct periodic checks on randomly selected phones to ensure the off-hook protection is active and functioning properly. Document the test process and any issues found for follow-up.
- Information security team should review policies: Review and update organisational policies to include requirements for off-hook audio protection in sensitive areas, ensuring staff understand their roles and responsibilities in maintaining phone security.
Audit / evidence tips
- AskA list of phone models in use: Check that the phones listed are equipped with off-hook audio protection features GoodWill mention specific models and their protection capabilities
- GoodWill be logs demonstrating both scheduled tests and any corrective actions taken
- AskThem to describe how they check and use off-hook protection on their phones GoodIs staff confidently detailing the process and showing awareness of its importance
- GoodShows clear mention of this requirement and responsibilities
Cross-framework mappings
How ISM-0236 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.6 | ISM-0236 requires organisations to implement off-hook audio protection on telephone systems in areas where background conversations may e... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.