ISM-0588 policy ASD Information Security Manual (ISM)

Develop and Maintain MFD Usage Policy

Establish a policy to guide the proper use of multifunction devices.

Preventative NC OS P ASD Information Security ManualGuidelines for communications systems policy authentication policy compliance

record_voice_over

Plain language

This control is about creating and keeping up-to-date a set of guidelines on how to properly use machines like printers and scanners, known as multifunction devices or MFDs. This is important because without clear rules, people might use these devices in ways that could accidentally leak sensitive information or cause security risks.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2025

Control Stack last updated

19 May 2026

E8 maturity levels

N/A

Guideline

Guidelines for communications systems

Section

Multifunction devices

Topic

Multifunction Device Usage Policy

Official control statement

An MFD usage policy is developed, implemented and maintained.

policy ASD Information Security Manual (ISM) ISM-0588

priority_high

Why it matters

Improper MFD use can leak sensitive data via unattended prints, insecure scan-to-email settings, or unauthorised local storage, risking data breaches.

settings

Operational notes

Maintain an MFD usage policy: enforce secure defaults, restrict address books, review scan destinations, require secure release printing, and keep firmware updated.

02 - Implement

build

Implementation tips

Office Manager should develop the MFD usage policy: Start by listing out what functions your devices can perform, like printing, scanning, and copying. Then, clearly describe how these functions should be used responsibly by staff, including securing documents and properly disposing of sensitive materials.
IT team should implement access controls: They need to set up the devices so only authorised users can access certain functions. This can include setting up user accounts or card access systems for the MFDs to keep unauthorised people from using them.
HR should train staff on the policy: Develop a training program that explains the MFD usage policy and why it's necessary. Use real-life examples of what can go wrong if the policy is not followed to help staff understand its importance.
Procurement should ensure secure MFDs: When buying new devices, check that they have security features that match the policy requirements. Talk to vendors about your security needs to ensure they suggest devices that fit your policy.
Compliance Officer should regularly review the policy: Schedule reviews every six months to ensure the policy remains relevant. Update the policy to reflect any changes in technology or company operations and ensure staff are informed about these updates.

03 - Audit

fact_check

Audit / evidence tips

AskThe current MFD usage policy document: Request to see the latest version of the policy that governs MFD usage GoodIs a policy that is comprehensive and dated within the last six months
AskTraining records: Request evidence that staff have been trained on MFD usage policy GoodShows that all staff have undergone training within the past year
AskAccess control settings: Request a demo of the access control settings on the devices. Look to see if only authorised users have access to critical functions GoodDemonstrates that access is restricted according to the policy
AskProcurement records for recent MFD purchases: Review documents to confirm the security features were considered in the procurement process GoodConfirms that security was a key consideration in purchasing decisions
AskPolicy review logs: Check the records of when and how the policy was last reviewed and updated GoodHas a recent review with documented minutes and action items

04 - Mappings

link

Cross-framework mappings

How ISM-0588 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (1) expand_less
Annex A 5.1	ISM-0588 requires a specific topic policy for the use of multifunction devices to be developed, implemented and maintained
handshake Supports (2) expand_less
Annex A 5.4	ISM-0588 requires an organisation to have an MFD usage policy in place to direct secure and appropriate use of multifunction devices
Annex A 5.36	ISM-0588 requires an MFD usage policy to be developed, implemented and maintained to govern how MFDs are used
link Related (1) expand_less
Annex A 5.10	Annex A 5.10 requires documented and implemented rules for acceptable use and handling of information and other assets

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.