Locating Multifunction Devices for Oversight
Ensure multifunction devices are in viewable areas to monitor their usage.
Plain language
Multifunction devices, like printers, scanners, and copiers, should be placed where people can easily see them. This helps prevent fraud or misuse because if these devices are out of sight, someone might use them to print sensitive information without being noticed.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsSection
Multifunction devicesOfficial control statement
MFDs are located in areas where their use can be observed.
Why it matters
Without visible placement, MFD misuse may go unnoticed, increasing the risk of sensitive documents being copied, scanned or printed without detection.
Operational notes
Quarterly confirm each MFD is in a line-of-sight area (e.g., reception/open office) and not in isolated rooms; document locations and remediate any blind spots.
Implementation tips
- The office manager should identify high-traffic areas in the office, like hallway corners or near the reception, for placing multifunction devices. This ensures they are easily visible and their use can be monitored casually by staff walking by.
- The IT team should work with the facility manager to map out the current layout of multifunction devices. They should then adjust their locations if needed, based on the visibility checklist to ensure all devices are in monitoring zones.
- Managers should set up regular check-ins with staff to discuss the importance of monitoring the use of multifunction devices. Building this awareness among employees can help identify any suspicious or inappropriate use.
- Security personnel should implement simple logging for multifunction devices to track usage patterns. This can involve regularly reviewing print logs or using built-in device features to generate usage reports.
- The HR department should include guidelines on the secure use of multifunction devices in staff induction programs. Training should cover how to recognise and report suspicious activity involving these devices.
Audit / evidence tips
- AskA map showing multifunction device locations throughout the office: Look to see if devices are placed in areas that are easy to observe GoodMap will show devices in open spaces where multiple employees have line-of-sight access
- GoodWill have records showing normal usage that aligns with work hours and typical business operations
- AskTo see policies or guidelines on monitoring device use GoodGuideline will include specific steps and contacts for reporting suspicious behaviours
Cross-framework mappings
How ISM-1036 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 7.3 | ISM-1036 requires organisations to position MFDs so their use is observable, providing physical oversight of printing, scanning and copyi... | |
| Annex A 7.8 | ISM-1036 requires multifunction devices (MFDs) to be located in areas where their use can be observed to provide day-to-day oversight and... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.