Implement Individual Logins for Secure IP Phone Use
Ensure each user has a unique login when using IP phones for secret conversations.
Plain language
This control means making sure each person using an IP phone for a confidential chat has their own unique login. Without this, anyone could listen in on private conversations, risking leaks of sensitive information that could harm your business or client trust.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsOfficial control statement
Individual logins are implemented for IP phones used for SECRET or TOP SECRET conversations.
Why it matters
If IP phones used for SECRET/TOP SECRET calls lack individual logins, users can’t be verified, enabling unauthorised use and weakening call accountability.
Operational notes
Ensure each secure IP phone has a unique user login, promptly disable departed users, and regularly review account-to-handset assignments for SECRET/TOP SECRET use.
Implementation tips
- The IT team should set up individual user accounts for each employee using IP phones. This means creating a unique username and password for each person based on their organisational role and authorising these through a secure system.
- Managers should ensure that staff are trained on how to use their unique logins securely. This involves conducting brief sessions to explain the importance of keeping login details private and demonstrating how to log in and out properly.
- HR should update onboarding and offboarding processes to include steps for issuing and revoking IP phone logins. New employees should receive their logins upon arrival, and their access should be removed immediately when they leave.
- The IT team should regularly review user access to IP phones. This involves checking logs to ensure that only current employees have active logins and removing any unnecessary accounts.
- The system owner should implement a policy that requires regular password changes for IP phone logins. They can set up the phones to prompt users for a new password every three months, ensuring continued security.
Audit / evidence tips
-
Askthe login policy document: Request to see a written policy outlining the need for individual logins for IP phones
Goodincludes policies dated and signed by management
-
Askto see the user account list: Request a current list of all user accounts that can access IP phones
Goodshows up-to-date accounts with no excess or leftover entries
-
Asktraining records: Request documentation of the training sessions provided to staff on using IP phone logins securely
Goodincludes recent records of sessions with clear content coverage
-
Askto see logs of IP phone access: Request access logs showing who logged into IP phones and when
Goodincludes logs with no suspicious or unauthorised entries
-
Askthe onboarding and offboarding checklist: Request the checklist used by HR when employees join or leave
Goodfeatures a checklist that includes specific actions for managing these logins
Cross-framework mappings
How ISM-1014 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 5.15 | ISM-1014 requires individual logins for IP phones used for SECRET or TOP SECRET conversations to ensure user-specific access and accounta... | |
| Annex A 5.17 | ISM-1014 requires individual (unique) logins to be implemented for IP phones used for SECRET or TOP SECRET conversations | |
| Annex A 8.5 | ISM-1014 requires individual logins for secure use of IP phones for SECRET or TOP SECRET conversations, implying a need for robust user a... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.