Restrict IP Phone Network Access in Public Areas
Public area IP phones cannot connect to data networks or access voicemail and directories.
Plain language
IP phones in public areas, like conference rooms or lobbies, should not be able to connect to your main data network or access services like voicemail and company directories. This is important because if someone misuses these phones, they could potentially listen to messages meant for others or access sensitive company information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsOfficial control statement
IP phones used in public areas do not have the ability to access data networks, voicemail and directory services.
Why it matters
If public-area IP phones can access data networks, voicemail or directories, attackers could pivot into internal systems or harvest sensitive information.
Operational notes
Audit public-area IP phones to confirm they cannot reach data networks, voicemail or directories; enforce VLAN/ACL restrictions and disable unused ports/features.
Implementation tips
- IT team should physically segment network: The team should ensure that IP phones in public areas are connected to a separate network from the main data network. This can often be done by setting up a separate VLAN (Virtual Local Area Network) to isolate these devices.
- System administrators should disable unnecessary services: Administrators need to disable services like voicemail and directory access on IP phones used publicly. This can be achieved through the phone's configuration settings or management software.
- Procurement should verify equipment features: When buying new IP phones, procurement should confirm that the phones can support network segregation and do not have easy access to data networks by default.
- Facility managers should monitor placement of phones: Facility managers need to ensure that IP phones are placed strategically in public areas to discourage tampering, while still being easy to use by staff and visitors.
- IT team should conduct regular security checks: They should routinely test public area IP phones to ensure they can't unexpectedly connect to data networks or access restricted services. This includes regularly checking phone firmware and configuration settings.
Audit / evidence tips
- AskNetwork configuration documentation: Request details of network settings that show how public area IP phones are segregated from the main data network GoodIs clear documentation showing these phones are on a separate network segment
- AskPhone configuration records: Obtain records that show service restrictions, like disabled voicemail and directory access on public IP phones GoodIncludes specific settings showing restricted services
- AskTo see logs of security checks: Request logs or reports from routine security checks on public area IP phones GoodIs a regularly updated log showing checks were performed and any issues were addressed
- AskVendor specifications: Request the product specifications that were reviewed before purchasing IP phones for public areas GoodIs confirmation from specifications that phones can be appropriately isolated
- AskIncident response records: Request to see any incident reports involving public area IP phones GoodIs a record showing few or no incidents due to proper controls being in place
Cross-framework mappings
How ISM-0558 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (4) expand_less | ||
| Annex A 8.3 | ISM-0558 requires that public area IP phones are restricted from accessing organisational data networks and telephony services such as vo... | |
| Annex A 8.20 | ISM-0558 requires public area IP phones to be configured so they cannot reach internal data networks or associated services like voicemai... | |
| Annex A 8.21 | ISM-0558 mandates that IP phones in public areas are prevented from accessing data networks and sensitive telephony services such as voic... | |
| Annex A 8.22 | ISM-0558 requires that IP phones located in public areas are technically restricted so they cannot access data networks, voicemail, or di... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.