Use Lower-Powered Wireless Access Points for Coverage
Deploy many low-power wireless access points to cover an area instead of few high-power ones.
Plain language
This control is about using many small wireless devices with lower power instead of just a few big ones to cover a building with Wi-Fi. It matters because using fewer, high-powered devices can lead to signal overlap, causing interference and making your network less secure and efficient. With smaller, low-power devices, you have better control over where the Wi-Fi goes, making it harder for unwanted people outside your building to access your network.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint for wireless networks.
Why it matters
Without using more low-power access points, wireless coverage can extend beyond premises, increasing risk of unauthorised access and data breaches.
Operational notes
Review access point placement and transmit power so coverage meets the required footprint without leaking outside the premises; retune channels after layout changes.
Implementation tips
- The IT team should map out the areas where Wi-Fi is needed. They should walk through the building to determine which rooms and spaces need coverage and note any physical barriers that might affect signal strength.
- The procurement team should buy multiple low-powered access point devices. This means checking the technical specifications to ensure they can be set to lower broadcasting power and making sure they have enough devices to cover all the identified areas.
- The IT team should install the access points strategically around the building. They should place them to ensure there’s no overlap between their coverage areas and adjust the power settings to cover just the necessary areas.
- The IT team should test the network coverage once installed. They should walk through the areas with a device connected to Wi-Fi to check for blind spots and adjust the position or power of access points if needed.
- The office manager should regularly check Wi-Fi performance feedback from staff. They should gather input on any issues with network connectivity and pass these to the IT team for troubleshooting and improvement.
Audit / evidence tips
-
Askthe network layout and equipment list: Request the documents that show where each low-powered access point is installed and the data on their power settings
Goodis a well-labelled network map with clear positioning and power levels listed for each unit
-
Askto see the Wi-Fi coverage test results: Request records from when the IT team tested the coverage of Wi-Fi after installation
Goodshows areas were tested, identifies issues, and notes corrective actions taken
-
Aska maintenance schedule and logs: Request the document showing when Wi-Fi performance has been reviewed or adjusted
Goodincludes regular reviews with documented findings and updates
-
Askabout staff feedback records: Request evidence of how staff feedback on Wi-Fi performance is gathered and addressed
Goodshows systematic collection of feedback and logs corrective actions taken
-
Askto see security reports on unauthorized attempts to access the network: Request logs or summaries of detected attempts from outside the building
Goodis a clear process showing how network boundaries are monitored and secured
Cross-framework mappings
How ISM-1338 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-1338 requires organisations to engineer Wi-Fi coverage using a greater number of lower-powered wireless access points rather than few... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.