Prevent MFD Connections to Digital Phone Systems
Do not connect multifunction devices (MFDs) to digital telephone systems.
Plain language
This control means that multifunction devices, like printers and scanners, shouldn't be connected directly to digital telephone systems. It's important because if these devices are connected, they could be used by cybercriminals to access sensitive information or disrupt communications, which can lead to loss of privacy and financial harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsSection
Multifunction devicesOfficial control statement
MFDs are not connected to digital telephone systems.
Why it matters
If an MFD is connected to a digital phone system, call/fax features may be abused to intercept documents, exfiltrate data, or disrupt telephony services.
Operational notes
Verify MFDs have no PBX/digital phone line connections (fax/modem cards, RJ11/RJ45 ports); audit cabling and disable phone interfaces where possible.
Implementation tips
- IT team should ensure MFDs are configured to not connect to any telephone systems. They can do this by checking device settings and disabling any telephone connectivity options.
- System owners should conduct regular checks to confirm that MFDs are not used in ways that could involve digital telephone systems. They can do this by reviewing device use logs and configurations periodically.
- Procurement managers should ensure new MFDs do not have digital telephone capabilities or these features can be disabled before purchase. They should request this information from vendors during the acquisition process.
- Office managers should train staff on the importance of keeping MFDs separate from telephone systems. This training should include a simple explanation of the risks and a quick demo of what not to connect.
- IT administrators should set up network monitoring to spot any unauthorised connections involving MFDs. They can use existing network management tools to alert if such connections are attempted.
Audit / evidence tips
-
Askthe device configurations document: Request documentation showing the settings of MFDs, specifically looking for entries about telephone connections
Goodis complete documentation showing these settings are in place
-
Askthem how they ensure MFDs aren't connected to telephone systems
Goodwill clearly describe steps taken to disable such connections and regular checks
-
Askprocurement records: Check documents for recent MFD purchases to verify they did not include telephone connectivity or that such features were disabled. Good records will show these details in the purchase agreements
-
Goodresult is logs showing no attempts at such connections or alerts when they were blocked
Cross-framework mappings
How ISM-0245 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-0245 requires that multifunction devices (MFDs) are not connected to digital telephone systems to remove an insecure or unnecessary c... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.