Require User Authentication for Multifunction Devices
Users must log in to use MFDs for printing, scanning, or copying.
Plain language
This rule is about making sure people log in before using multifunction devices like printers, scanners, or copiers. It matters because if devices are left wide open, someone could easily print or copy sensitive documents without permission, which could lead to privacy breaches or even identity theft.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsSection
Multifunction devicesOfficial control statement
Users authenticate to MFDs before they can print, scan or copy documents.
Why it matters
Without MFD user authentication, unauthorised people can print, scan or copy sensitive documents, increasing the risk of data breaches and privacy violations.
Operational notes
Enable authentication on all MFD functions (print/scan/copy), integrate with directory accounts, and review MFD access/audit logs regularly for unauthorised use.
Implementation tips
- The IT team should set up user accounts on all multifunction devices in the office. They can do this by using the device's admin settings to create accounts and set default passwords, which users should change on their first login.
- Office managers should educate employees on the new requirement to log in before using these devices. Host a short training session and send an information email explaining why logging in is important for protecting sensitive information.
- Procurement should ensure any new multifunction devices bought have the capability for user authentication. They can do this by checking with vendors that devices support individual or group logins before purchase.
- The HR department should update the employee onboarding process to include how to access these devices. This can be done by adding a step in the onboarding checklist that covers this training point.
- System administrators should regularly review and update user access to the multifunction devices. This can be achieved by setting a reminder every quarter to check the list of authorised users and remove any who are no longer with the company.
Audit / evidence tips
- AskThe list of user accounts set up on the multifunction devices GoodSet-up shows active accounts matching current employees and recent usage dates
- AskThe procurement policy or recent purchase orders for multifunction devices GoodPolicy or order includes mentions of user log-in capabilities as a requirement
- AskA demonstration on how to log in to a multifunction device. Observe if the process requires a user name and password entry GoodProcess is quick, straightforward, and consistently implemented by all employees
Cross-framework mappings
How ISM-1854 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-1854 requires users to authenticate to multifunction devices (MFDs) before they can print, scan or copy documents | |
| handshake Supports (1) expand_less | ||
| Annex A 5.17 | ISM-1854 requires users to authenticate to MFDs before they can use print/scan/copy functions | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.