Ensure Authentication for IP Telephony Actions
Users must be verified for all actions such as registering phones and accessing voicemail on IP telephony networks.
Plain language
This control is about making sure that only authorised people can do things like register phones or listen to voicemails on your office internet phone system. Without this, someone could tamper with your phone settings or access private messages, putting your business communications at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2019
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsOfficial control statement
Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail.
Why it matters
Unauthorised IP telephony actions can enable call interception, voicemail compromise, fraud, and disruption of critical voice services.
Operational notes
Enforce authentication and role-based authorisation for phone registration/provisioning, admin changes and voicemail access; regularly review accounts, roles and logs.
Implementation tips
- Business owners should ensure they have an authentication system for internet phones. This means setting up a username and password or PIN that people must use to prove who they are before they can make changes or access voicemail.
- IT teams should implement multi-factor authentication (MFA) across the IP telephony network. This involves setting up a system where users need to provide two or more pieces of evidence to prove their identity, like a password and a code sent to their phone.
- Managers should train staff on the importance of using unique and strong passwords for accessing IP phone systems. Host a workshop to show employees how to create strong passwords and why reusing passwords is risky.
- The security officer should regularly review and update access permissions for the entire IP telephony system. Check every quarter to ensure that only current employees have access and that former staff are promptly removed from the system.
- The IT team should routinely monitor the IP telephony system logs for any unusual access attempts or changes. Use automated alerts to detect and report suspicious activities that might indicate unauthorised access.
Audit / evidence tips
- AskThe user authentication policy for IP telephony systems GoodA clear policy outlining the authentication process, including password requirements and MFA
- GoodThe list is up-to-date with no former employees listed
- AskLogs of recent access attempts to the IP telephony system GoodThe logs show legitimate access patterns with minimal failed attempts
- GoodTraining is conducted quarterly and participation is documented
- AskThe recent security review report of the IP telephony system GoodThe report includes all findings and records of any actions taken
Cross-framework mappings
How ISM-0555 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.17 | ISM-0555 requires authentication and authorisation for all actions on an IP telephony network, including device registration and voicemai... | |
| Annex A 5.18 | ISM-0555 requires authentication and authorisation for IP telephony actions such as user registration, setting changes, and voicemail access | |
| link Related (1) expand_less | ||
| Annex A 8.3 | ISM-0555 mandates authentication and authorisation for IP telephony actions such as device registration and voicemail access | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-MF-ML2.3 | ISM-0555 requires authentication and authorisation for all actions on an IP telephony network (e.g | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.