Develop and Maintain Telephone System Usage Policy
Create and keep a policy for how phones should be used within the organisation.
Plain language
This control is about making sure your organisation has a clear, up-to-date policy on how employees should use telephones at work. It matters because without guidelines, there can be misuse, like long personal calls or data leaks through unsecured phone conversations. This can lead to increased costs or risk of sensitive information falling into the wrong hands.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsSection
Telephone systemsOfficial control statement
A telephone system usage policy is developed, implemented and maintained.
Why it matters
Without a telephone system usage policy, staff may share sensitive data over insecure calls and incur unauthorised call charges, increasing fraud and privacy breach risk.
Operational notes
Review phone/PBX logs for unusual calling patterns, define permitted use and recording rules, and update the policy when new telephony or messaging features are introduced.
Implementation tips
- The organisation's management team should draft a telephone system usage policy. They can start by listing what is acceptable and not acceptable when it comes to using phones at work, like limiting international calls or avoiding discussing confidential information in public spaces. Involve teams like IT and HR to cover technical and behavioural aspects.
- HR should communicate this policy to all employees. They can organise an orientation session or send an email with a clear summary of the policy, ensuring everyone knows what's expected. Include examples so employees can relate to what's permissible and what's not.
- IT should implement technical measures that support the policy, like call logging or blocking premium numbers if required. They can set up tools to monitor phone usage patterns ensuring they align with the policy and alert management to any violations.
- Line managers should discuss the policy during team meetings to reinforce its importance. They can refer to past examples (anonymised, if necessary) where misuse was problematic and the consequences faced to drive home the policy's relevance.
- The policy should be reviewed annually by a cross-functional team, including management, HR, and IT. This team should evaluate if changes in technology or business operations require policy updates, ensuring it remains relevant.
Audit / evidence tips
-
Askthe written telephone system usage policy: Ensure there is a documented policy that is actively shared with employees
Goodpolicy is detailed but clear, covering all necessary points without being overly complex
-
Askrecords of policy communication: This could be emails or attendance records from policy briefings
Goodis evidence showing 100% of current employees have received and acknowledged the policy
-
Askto see reports of phone usage monitoring: These should show compliance with the restriction measures set by the policy
GoodDetails on when calls fall outside policy norms and action taken thereafter
-
Aska list of policy review dates and changes made: Confirm the policy has been reviewed annually or as needed
Goodis a documented timeline of reviews showing continuous improvement
-
Askto speak with a sample of employees: Verify their understanding of the policy and any concerns they might have
Goodresult is employees accurately recounting the rules and their purpose
Cross-framework mappings
How ISM-1078 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.1 | ISM-1078 requires a specific topic policy for telephone system usage to be developed, implemented, and maintained | |
| Annex A 5.10 | ISM-1078 requires an organisation to develop, implement, and maintain a telephone system usage policy | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.4 | Annex A 5.4 requires management to ensure personnel comply with the organisation’s information security policies and procedures | |
| extension Depends on (1) expand_less | ||
| Annex A 5.36 | Annex A 5.36 requires regular review of compliance with the organisation’s information security policies, topic-specific policies, rules ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.