Ensure Authentication for IP Telephony Actions
Users must be verified for all actions such as registering phones and accessing voicemail on IP telephony networks.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2019
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure that only authorised people can do things like register phones or listen to voicemails on your office internet phone system. Without this, someone could tamper with your phone settings or access private messages, putting your business communications at risk.
Why it matters
Unauthorised IP telephony actions can enable call interception, voicemail compromise, fraud, and disruption of critical voice services.
Operational notes
Enforce authentication and role-based authorisation for phone registration/provisioning, admin changes and voicemail access; regularly review accounts, roles and logs.
Implementation tips
- Business owners should ensure they have an authentication system for internet phones. This means setting up a username and password or PIN that people must use to prove who they are before they can make changes or access voicemail.
- IT teams should implement multi-factor authentication (MFA) across the IP telephony network. This involves setting up a system where users need to provide two or more pieces of evidence to prove their identity, like a password and a code sent to their phone.
- Managers should train staff on the importance of using unique and strong passwords for accessing IP phone systems. Host a workshop to show employees how to create strong passwords and why reusing passwords is risky.
- The security officer should regularly review and update access permissions for the entire IP telephony system. Check every quarter to ensure that only current employees have access and that former staff are promptly removed from the system.
- The IT team should routinely monitor the IP telephony system logs for any unusual access attempts or changes. Use automated alerts to detect and report suspicious activities that might indicate unauthorised access.
Audit / evidence tips
-
Ask: the user authentication policy for IP telephony systems
Good: a clear policy outlining the authentication process, including password requirements and MFA
-
Good: the list is up-to-date with no former employees listed
-
Ask: logs of recent access attempts to the IP telephony system
Good: the logs show legitimate access patterns with minimal failed attempts
-
Good: training is conducted quarterly and participation is documented
-
Ask: the recent security review report of the IP telephony system
Good: the report includes all findings and records of any actions taken
Cross-framework mappings
How ISM-0555 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (2) | ||
| Annex A 5.17 | ISM-0555 requires authentication and authorisation for all actions on an IP telephony network, including device registration and voicemai... | |
| Annex A 5.18 | ISM-0555 requires authentication and authorisation for IP telephony actions such as user registration, setting changes, and voicemail access | |
| Related (1) | ||
| Annex A 8.3 | ISM-0555 mandates authentication and authorisation for IP telephony actions such as device registration and voicemail access | |
E8
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (1) | ||
| E8-MF-ML2.3 | ISM-0555 requires authentication and authorisation for all actions on an IP telephony network (e.g | |