ISM-1036 ASD Information Security Manual (ISM)

Locating Multifunction Devices for Oversight

Ensure multifunction devices are in viewable areas to monitor their usage.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET Logging and monitoring Secure facilities ASD Information Security Manual Guidelines for information technology equipment

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Nov 2025

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for communications systems

Section

Multifunction devices

Topic

Observing Multifunction Device Use

Official control statement

MFDs are located in areas where their use can be observed.

Source: ASD Information Security Manual (ISM)

Plain language

Multifunction devices, like printers, scanners, and copiers, should be placed where people can easily see them. This helps prevent fraud or misuse because if these devices are out of sight, someone might use them to print sensitive information without being noticed.

Why it matters

Without visible placement, MFD misuse may go unnoticed, increasing the risk of sensitive documents being copied, scanned or printed without detection.

Operational notes

Quarterly confirm each MFD is in a line-of-sight area (e.g., reception/open office) and not in isolated rooms; document locations and remediate any blind spots.

Implementation tips

The office manager should identify high-traffic areas in the office, like hallway corners or near the reception, for placing multifunction devices. This ensures they are easily visible and their use can be monitored casually by staff walking by.
The IT team should work with the facility manager to map out the current layout of multifunction devices. They should then adjust their locations if needed, based on the visibility checklist to ensure all devices are in monitoring zones.
Managers should set up regular check-ins with staff to discuss the importance of monitoring the use of multifunction devices. Building this awareness among employees can help identify any suspicious or inappropriate use.
Security personnel should implement simple logging for multifunction devices to track usage patterns. This can involve regularly reviewing print logs or using built-in device features to generate usage reports.
The HR department should include guidelines on the secure use of multifunction devices in staff induction programs. Training should cover how to recognise and report suspicious activity involving these devices.

Audit / evidence tips

Ask: a map showing multifunction device locations throughout the office: Look to see if devices are placed in areas that are easy to observe

Good: map will show devices in open spaces where multiple employees have line-of-sight access
Good: will have records showing normal usage that aligns with work hours and typical business operations
Ask: to see policies or guidelines on monitoring device use

Good: guideline will include specific steps and contacts for reporting suspicious behaviours

Cross-framework mappings

How ISM-1036 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Partially meets (2)
Annex A 7.3	ISM-1036 requires organisations to position MFDs so their use is observable, providing physical oversight of printing, scanning and copyi...
Annex A 7.8	ISM-1036 requires multifunction devices (MFDs) to be located in areas where their use can be observed to provide day-to-day oversight and...