Restrict Microphone and Webcam Use in SECRET Areas
Don't use microphones or webcams on non-classified computers in areas handling SECRET projects.
Plain language
In areas where top-secret projects are handled, it's crucial to avoid using microphones or webcams on computers that aren't dealing with classified information. This is important because these devices could accidentally record or share sensitive information, leading to security breaches and compromising the project.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsTopic
Microphones and WebcamsOfficial control statement
Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas.
Why it matters
Unauthorised audio/video capture in SECRET areas risks exposure of sensitive projects, potentially leading to leaks and security breaches.
Operational notes
Periodically check non-SECRET workstations in SECRET areas have no webcams or microphones connected (incl. headsets/USB handsets), and brief staff on the prohibition.
Implementation tips
- The IT team should physically inspect all workstations in SECRET areas to ensure no microphones or webcams are connected. They can do this by visiting the area and visually checking each computer setup, removing any unauthorised devices found.
- Managers should communicate this policy to staff and ensure everyone understands that only computers involved in SECRET projects can have microphones and webcams. They can send an email reminder and conduct a brief meeting to explain the reasons and consequences clearly.
- HR should update office policies and job descriptions to include this requirement in areas where SECRET projects are handled. They can do this by revising current documents and informing all employees of the changes during an induction or training session.
- The procurement team should ensure that no purchase orders for microphones or webcams are approved for SECRET areas unless explicitly authorised for classified use. They can track this by implementing a checklist for equipment purchasing that flags unauthorised items.
- System owners should set up and maintain a log of authorised equipment for machines in SECRET areas, ensuring microphones and webcams are not listed without proper clearance. They can do this by keeping an updated Excel spreadsheet or similar tool accessible to authorised personnel only.
Audit / evidence tips
-
Askthe list of computers in SECRET areas: Request the inventory record detailing all devices and peripherals, focusing on audio and video equipment
Goodlist will clearly show that no unauthorised equipment is in use
-
Askto see purchase orders and invoices for equipment: Request recent purchase documentation to ensure compliance with restrictions
Goodresult shows no such purchases without explicit authorisation
-
Askthe logs of authorised equipment: Request access to the logs mentioned by the system owners, detailing equipment use in SECRET areas
-
Askemployees in SECRET areas about their understanding of the policy: Interview a random selection of staff to assess their awareness of microphone and webcam restrictions
Goodresult shows staff are universally aware and compliant
-
Aska demonstration of policy communication: Request records of communication to staff about this control, such as emails or meeting minutes
Goodincludes thorough and clear documentation of the communicated policy
Cross-framework mappings
How ISM-0559 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 7.1 | ISM-0559 requires preventing use of microphones and webcams on non-SECRET workstations within SECRET areas to limit compromise opportunit... | |
| link Related (1) expand_less | ||
| Annex A 7.6 | Annex A 7.6 requires organisations to implement controls for working in secure areas that prevent compromise of sensitive information and... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.