Develop and Maintain MFD Usage Policy
Establish a policy to guide the proper use of multifunction devices.
Plain language
This control is about creating and keeping up-to-date a set of guidelines on how to properly use machines like printers and scanners, known as multifunction devices or MFDs. This is important because without clear rules, people might use these devices in ways that could accidentally leak sensitive information or cause security risks.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsSection
Multifunction devicesOfficial control statement
An MFD usage policy is developed, implemented and maintained.
Why it matters
Improper MFD use can leak sensitive data via unattended prints, insecure scan-to-email settings, or unauthorised local storage, risking data breaches.
Operational notes
Maintain an MFD usage policy: enforce secure defaults, restrict address books, review scan destinations, require secure release printing, and keep firmware updated.
Implementation tips
- Office Manager should develop the MFD usage policy: Start by listing out what functions your devices can perform, like printing, scanning, and copying. Then, clearly describe how these functions should be used responsibly by staff, including securing documents and properly disposing of sensitive materials.
- IT team should implement access controls: They need to set up the devices so only authorised users can access certain functions. This can include setting up user accounts or card access systems for the MFDs to keep unauthorised people from using them.
- HR should train staff on the policy: Develop a training program that explains the MFD usage policy and why it's necessary. Use real-life examples of what can go wrong if the policy is not followed to help staff understand its importance.
- Procurement should ensure secure MFDs: When buying new devices, check that they have security features that match the policy requirements. Talk to vendors about your security needs to ensure they suggest devices that fit your policy.
- Compliance Officer should regularly review the policy: Schedule reviews every six months to ensure the policy remains relevant. Update the policy to reflect any changes in technology or company operations and ensure staff are informed about these updates.
Audit / evidence tips
-
Askthe current MFD usage policy document: Request to see the latest version of the policy that governs MFD usage
Goodis a policy that is comprehensive and dated within the last six months
-
Asktraining records: Request evidence that staff have been trained on MFD usage policy
Goodshows that all staff have undergone training within the past year
-
Askaccess control settings: Request a demo of the access control settings on the devices. Look to see if only authorised users have access to critical functions
Gooddemonstrates that access is restricted according to the policy
-
Askprocurement records for recent MFD purchases: Review documents to confirm the security features were considered in the procurement process
Goodconfirms that security was a key consideration in purchasing decisions
-
Askpolicy review logs: Check the records of when and how the policy was last reviewed and updated
Goodhas a recent review with documented minutes and action items
Cross-framework mappings
How ISM-0588 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.1 | ISM-0588 requires a specific topic policy for the use of multifunction devices to be developed, implemented and maintained | |
| handshake Supports (2) expand_less | ||
| Annex A 5.4 | ISM-0588 requires an organisation to have an MFD usage policy in place to direct secure and appropriate use of multifunction devices | |
| Annex A 5.36 | ISM-0588 requires an MFD usage policy to be developed, implemented and maintained to govern how MFDs are used | |
| link Related (1) expand_less | ||
| Annex A 5.10 | Annex A 5.10 requires documented and implemented rules for acceptable use and handling of information and other assets | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.