Restricting Devices in Top Secret Areas
Do not use microphones or webcams with non-Top Secret devices in Top Secret areas.
Plain language
In areas where sensitive Top Secret information is handled, it's crucial not to use microphones or webcams from devices that aren't authorised for Top Secret work. This is important because these devices can unintentionally record or transmit classified discussions, potentially leading to information leaks that could harm national security.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsTopic
Microphones and WebcamsOfficial control statement
Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas.
Why it matters
Using microphones or webcams with non-TOP SECRET workstations in TOP SECRET areas can record classified audio/video and leak TOP SECRET information.
Operational notes
Audit TOP SECRET areas for microphones/webcams on non-TOP SECRET workstations; remove unauthorised devices and document any exceptions and approvals.
Implementation tips
- The security manager should create a policy that clearly states microphones and webcams are prohibited on non-Top Secret devices in Top Secret areas. They can do this by drafting a written policy and sharing it during staff meetings and in official communications to ensure everyone understands the rule.
- IT support personnel should regularly check work areas to ensure compliance with this control. They can do this by scheduling routine inspections where they verify that no unauthorised devices are connected to workstations in these high-security zones.
- Managers need to educate their teams about why this control is in place. They should organise training sessions or briefings where they explain the risks of using non-authorised devices and how such breaches might occur.
- The procurement officer should ensure that any devices purchased for use in Top Secret areas are compliant with security guidelines. They can do this by consulting with the security manager to understand the specifications needed for safe device use.
- HR departments should include this control in the company's onboarding process. They can incorporate a checklist that new employees must review and sign, acknowledging their understanding and agreement to adhere to security policies regarding device use.
Audit / evidence tips
- AskThe security policy documentation: Request to see the specific policies that prohibit the use of microphones and webcams on non-Top Secret devices in Top Secret areas GoodIs a policy document that is current, clearly communicated, and acknowledged by staff
- GoodIs a record showing consistent checks with no recent violations reported
- AskTraining attendance logs: Request logs or records showing who attended training or informational sessions on this control GoodShows regular training with comprehensive coverage of relevant security topics
- AskTo see the checklist used by procurement when purchasing devices for Top Secret areas GoodShows compliance checks are standard practice in procurement
- AskThe documents used in onboarding new employees concerning device use GoodIncludes signed acknowledgements from each new employee indicating their understanding of these policies
Cross-framework mappings
How ISM-1450 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| Annex A 8.1 | ISM-1450 reduces the risk of unauthorised capture or exfiltration of sensitive discussions and visuals by preventing microphones and webc... | |
| Annex A 8.9 | ISM-1450 requires a specific configuration/usage state in TOP SECRET areas: non-TOP SECRET workstations must not be used with microphones... | |
| link Related (1) expand_less | ||
| Annex A 7.6 | Annex A 7.6 requires organisations to implement security measures governing what is permitted when working in secure areas | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.