Ensure Secure Protocols for Video and IP Calls
Video and IP calls must use secure protocols to protect communication.
Plain language
This control ensures that video calls and voice calls over the internet use secure technologies to protect the conversations. It's crucial because if someone can tap into these calls, they might steal sensitive information or eavesdrop on confidential discussions, which could lead to privacy breaches or business losses.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsOfficial control statement
Video conferencing and IP telephony calls are established using a secure session initiation protocol.
Why it matters
If video/IP calls do not use secure SIP (e.g., SIP over TLS with SRTP), attackers can intercept or alter call audio/video and signalling.
Operational notes
Require SIP over TLS and SRTP for all video/IP call services; regularly verify client/device configs and disable insecure SIP transports.
Implementation tips
- The IT team should review current video conferencing and internet calling tools to make sure they use secure protocols. This involves checking the settings of each tool and any documentation provided by the service providers to ensure they support secure methods like encrypted connections.
- Managers and team leaders should conduct training sessions to make sure users understand how to start a secure video conference or call. They should give clear steps and demonstrations on picking the right settings in everyday tools like Zoom or Skype.
- The procurement team must include security requirements when purchasing new video conferencing or IP telephony solutions. They should require vendors to confirm that their products use secure protocols and provide evidence or certification.
- Operations personnel should regularly update the software used for video and IP calls to the latest version. Regular checks and updates can be done by setting reminders and keeping a log of software versions and update dates.
- The security team should run periodic checks to ensure all video and IP telephony systems are correctly configured for security. They can do this by simulating calls and verifying if the security settings are enforced, which involves checking the connection type and encryption status.
Audit / evidence tips
-
Asksystem configuration records: Request to see documentation or screenshots showing current settings for video and IP call systems
Gooddetailed settings that clearly indicate secure protocols are enabled
-
Asktraining materials: Request to see resources or records used in user training sessions about secure calls
Goodcomprehensive guides with step-by-step instructions and tips for secure usage
-
Askvendor security assurances: Request evidence of security protocols as part of purchase requirements
-
Asksoftware update logs: Request logs of updates for the systems in use
Gooda log with recent dates showing that software is kept current against security threats
-
Asktest results or reports from security checks: Request reports from security checks or simulations
Gooda report confirming that security settings are correctly applied
Cross-framework mappings
How ISM-0548 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| Annex A 8.20 | ISM-0548 requires video conferencing and IP telephony calls to be established using a secure session initiation protocol to protect call ... | |
| Annex A 8.27 | ISM-0548 mandates the use of secure session initiation protocols for video and IP calls, reflecting a secure-by-design requirement for co... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.