Ensure Secure IP Telephony Device Authentication
Ensure only authorised IP phones can register and use the network, blocking unauthorised and unused functionalities.
Plain language
This control ensures that only the phones you have approved can connect to your office phone network. This is important because if unauthorised devices join the network, they could listen in on private conversations or cause disruptions, much like leaving the door open to anyone who wants to walk in uninvited.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Dec 2019
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsOfficial control statement
IP telephony is configured such that: - IP phones authenticate themselves to the call controller upon registration - auto-registration is disabled and only authorised devices are allowed to access the network - unauthorised devices are blocked by default - all unused and prohibited functionality is disabled.
Why it matters
Without IP phone authentication and auto-registration disabled, rogue handsets can register to the call controller, enabling call eavesdropping and network disruption.
Operational notes
Ensure auto-registration is disabled, only authorised phones can register to the call controller, and unknown devices are blocked by default; disable unused/prohibited IP phone functionality.
Implementation tips
- The IT team should create a list of approved IP phones: Gather the serial numbers of all authorised phones and record them in a secure document. Use this list to ensure only these devices can register on the network.
- The IT manager should disable auto-registration on the call controller: Access the settings of the call management system and turn off the feature that automatically allows new devices to connect. This ensures only listed and approved devices can get onto the system.
- Network administrators should configure the system to block unauthorised devices: Set the firewall or the call controller’s security settings to reject unknown device attempts to connect. This proactive step ensures unauthorised phones can't access the network.
- The security officer should audit network access logs regularly: Review the logs weekly to check for any attempts by unauthorised devices to connect. Investigate any unusual activity and make sure it aligns with employees' use.
- The IT team should disable unused functions: Go through the phone system settings and turn off features that are not in use, like conference calling if it's unnecessary. This reduces risk by limiting ways the system can be misused.
Audit / evidence tips
-
Askthe list of authorised IP phones: Request a document or electronic list that contains all approved devices allowed on the network
-
Goodlog shows attempts from unknown devices being blocked
-
Asknetwork security policy documents: Confirm there’s a policy detailing how devices are authenticated before joining the network
-
Goodsetup will include automatic defences that function without needing manual intervention
-
Asktraining records or minutes from security meetings: Review evidence showing staff were briefed on these practices
Cross-framework mappings
How ISM-0551 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (4) expand_less | ||
| Annex A 5.15 | ISM-0551 mandates specific access control configuration for IP telephony, including authenticated registration, disabling auto-registrati... | |
| Annex A 8.3 | ISM-0551 requires only authorised IP phones to be permitted to register and access the telephony network, with unauthorised devices block... | |
| Annex A 8.5 | ISM-0551 requires IP telephony to enforce secure device registration by having IP phones authenticate to the call controller, disabling a... | |
| Annex A 8.20 | ISM-0551 focuses on securing IP telephony network access by authenticating endpoints to the call controller, preventing auto-registration... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.