Secure Protocols for Video and IP Telephony
Video and IP calls must use secure protocols to keep communications private and safe.
Plain language
This control is about making sure that the video and voice calls your organisation makes online are secure. If the protocols used aren't secure, sensitive information could be stolen or conversations could be intercepted by unauthorised people.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsOfficial control statement
Video conferencing and IP telephony calls are conducted using a secure real-time transport protocol.
Why it matters
Unsecure video and IP calls risk data breaches through eavesdropping, leading to potential loss of sensitive information or reputational damage.
Operational notes
Audit video/IP telephony to enforce SRTP/DTLS-SRTP, disable insecure RTP, and verify encryption settings remain current after updates or changes.
Implementation tips
- Organisation managers should prioritise the use of secure communication software. Ensure the software for video calls or IP telephony is configured to employ secure protocols like Secure Real-time Transport Protocol (SRTP) and these settings are checked regularly.
- IT teams should update and patch video conferencing and telephony applications regularly. Plan for updates by scheduling checks weekly and consult vendor update notices to keep security features current.
-
Look atproducts that guarantee end-to-end encryption and provide vendor support for implementing secure protocols
- HR should train staff on the importance of secure communications. Conduct workshops to explain why using secure protocols is necessary and how to ensure their systems are set up correctly before starting a call.
- System administrators should regularly review system logs for any unusual activities in communication applications. Set a routine to analyse logs weekly for failed access attempts or unauthorised usage, indicating potential security breaches.
Audit / evidence tips
-
Asknetwork configuration documents: Request documentation showing the communication applications' network setup
Gooddocument will clearly indicate active secure protocols
-
Askto review the software update logs
Goodlog will show consistent updates, especially of security patches, occurring within a reasonable timeframe following release
-
Askvendor certifications or agreements: These should outline the security guarantees of the communication software
Goodwill include a certificate or vendor statement confirming compliance
-
Askto see staff training records: Review records for training sessions about secure communication usage
Goodincludes recent attendance records, showing most of the relevant staff attended training within the past year
-
Asklogs of communication sessions: Review how logs are monitored for security
Goodlog shows no unusual activities or flags any suspicious patterns that were followed up on appropriately
Cross-framework mappings
How ISM-0547 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
No cross-framework mappings recorded yet.