Secure Video Conferencing and Telephony Systems
Ensure video and IP telephony systems are secured against threats.
Plain language
This control is about making sure your video conferencing and phone systems that use the internet are safe from hackers and other online threats. It’s important because if these systems aren't protected, sensitive conversations about your business could be intercepted, recorded, or disrupted by malicious actors, causing harm to your reputation and operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2019
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsOfficial control statement
Video conferencing and IP telephony infrastructure is hardened.
Why it matters
If conferencing or IP telephony isn’t hardened, attackers can intercept calls or hijack meetings, exposing sensitive discussions and damaging trust.
Operational notes
Apply vendor patches and harden VoIP/video configs: enforce SRTP/TLS, disable unused services/default accounts, restrict admin access, and review SIP/call logs.
Implementation tips
- The IT team should conduct a security assessment of current video conferencing and telephony systems. They can do this by reviewing existing configurations and checking for updates or patches that need to be applied. Use available tools or engage a security expert to identify vulnerabilities.
- System administrators should ensure encryption is enabled on all video calls and internet-based phone lines. They can do this by configuring the system settings to use encryption protocols, such as end-to-end encryption, that block unauthorised access to conversations.
- The office manager should organise training sessions for staff on secure usage practices. This includes instructing users on not sharing meeting links in public forums, using strong passwords, and recognising suspicious activity during calls.
- Procurement should review service agreements with video conferencing and telephony providers. They need to verify that vendors adhere to industry security standards and have a clear process for security updates and breach notifications.
- The IT team should implement network segmentation for these systems. This involves setting up separate networks for video conferencing and telephony equipment, reducing the risk that a breach in one area impacts the entire network. They can do this by configuring firewalls and network policies accordingly.
Audit / evidence tips
- AskThe security assessment report: Request documentation showing a recent security assessment of the video and telephony systems GoodWill show identified risks that were mitigated promptly and effectively
- AskStaff training records: Request evidence of security training sessions held for staff. Look through attendance records and training materials GoodOutcome should show regular training with noted improvements or feedback from participants
Cross-framework mappings
How ISM-1562 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.9 | ISM-1562 requires hardening of video conferencing and IP telephony infrastructure through secure configurations | |
| Annex A 8.20 | ISM-1562 requires video conferencing and IP telephony infrastructure to be hardened to reduce exposure to compromise | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.22 | ISM-1562 mandates hardening of video conferencing and IP telephony infrastructure, often implementing network segregation as a technique | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.