Skip to content
arrow_back
ISM-0554
search
ISM-0554 policy ASD Information Security Manual (ISM)

Secure Two-Way Authentication for Video Calls

Video calls must use secure two-way authentication to ensure calls are encrypted and cannot be reused.

Preventative NC OS P ASD Information Security ManualGuidelines for communications systemsauthenticationcryptography
record_voice_over

Plain language

This control is about making sure that your video calls are extra secure by using a method that checks both sides before letting the call begin, and it ensures that these calls can’t be tampered with or listened to by anyone else. This is important because if you don’t secure your video calls, sensitive information you share could be stolen or misused, putting your business or personal conversations at risk.

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Aug 2018

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for communications systems

Section

Video conferencing and Internet Protocol telephony

Topic

Video Conferencing Unit and Internet Protocol Phone Authentication

Official control statement

An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation.
policy ASD Information Security Manual (ISM) ISM-0554
priority_high

Why it matters

Without secure two-way authentication, attackers can spoof participants or replay call setup messages, exposing sensitive business or personal information during video calls.

settings

Operational notes

Regularly test mutual authentication on video calls and validate anti-replay protections (nonces/timestamps) to ensure call setup messages cannot be reused or spoofed.

build

Implementation tips

  • The IT team should set up secure video call software that supports two-way authentication. This means both callers must confirm their identity before the call starts. The IT team can implement this by choosing video conferencing tools with strong security features and configuring them to require user verification each time a call is initiated.
  • System owners should work with the IT team to ensure call encryption is enabled. This involves checking the settings in your video call software to make sure encryption is turned on, which protects the content of your calls from being accessed by unauthorized parties.
  • Managers need to communicate the importance of secure video calls to their team members. They can do this by organizing brief training sessions that explain how and why to use two-way authentication and encryption for every business call.
  • The HR department should incorporate secure communication practices into the employee handbook. This can include guidelines on using video conferencing safely, such as not sharing passwords and ensuring devices are protected with strong, unique passwords.
  • Procurement should assess and select video conferencing services that comply with Australian security standards, such as those recommended by the Australian Cyber Security Centre (ACSC). They can do this by reviewing product specifications and opting for services with strong security credentials verified by reliable agencies.
fact_check

Audit / evidence tips

  • Askdocumentation of the video conferencing tools being used: Request a list of software tools approved for secure video calls within the organization

    Goodlist will only include software that supports secure authentication and encryption standards

  • Askto see the configuration settings of the video call software: Request access to the configuration or security settings of the video conferencing tool

    Goodresult is settings that confirm these security measures are in place for every call

  • Askrecords of employee training on secure communication: Request documents or logs showing when employees were last trained on using secure video calling practices

    Goodwould be records of regular training sessions and updates

  • Aska policy document on video call security: Request the organization's policy that outlines requirements for secure video calls

  • Asklogs of video call usages: Request logs that might record when and how video calls are conducted using authenticated and encrypted methods as part of regular checks

    Goodlog will show consistent adherence to two-way authentication and encryption usage

link

Cross-framework mappings

How ISM-0554 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
layers Partially meets (1) expand_less
Annex A 8.5 ISM-0554 requires an encrypted and non-replayable two-way authentication scheme specifically for video call authentication and authorisation
handshake Supports (2) expand_less
Annex A 5.17 ISM-0554 requires secure two-way (mutual) authentication for video calls that is encrypted and non-replayable to ensure call authenticati...
Annex A 8.24 ISM-0554 requires video call authentication to use encrypted, non-replayable two-way authentication, which relies on strong cryptographic...

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls