Control Access to Recording Devices in Secure Areas
Prevent unauthorised devices from entering areas where sensitive information is kept.
Plain language
This control is all about making sure that no one brings unauthorised cameras or recorders into areas where sensitive information is handled. Without this rule, someone could accidentally or intentionally capture secret information, putting the security of important data at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Aug 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for physical securitySection
Facilities and systemsOfficial control statement
Unauthorised photographic and video recording devices are not brought into SECRET and TOP SECRET areas.
Why it matters
If recording devices enter SECRET/TOP SECRET areas, they can covertly capture classified material and enable unauthorised disclosure.
Operational notes
Implement screening and signage at entry points, provide secure storage for devices, and ensure only approved equipment enters sensitive zones.
Implementation tips
- The office or facility manager should develop and communicate a clear policy: Create a rule that explains what kinds of recording devices can't be brought into secure areas. Make sure all staff and visitors are aware of this rule through regular communication, like emails or noticeboard announcements.
- Security personnel should set up a screening process: At the entrance of secure areas, check bags and belongings for unauthorised recording devices. This can be done with visual inspections or using metal detectors to ensure no one brings in gadgets by mistake.
- IT or security officers should provide secure storage: Create a designated storage area where people can safely leave their devices before entering secure zones. This storage should be easily accessible but secured by lock and key or another controlled mechanism.
- Administrators should train employees: Organise training sessions on the importance of this control and the risks involved with unauthorised recordings. Content should include examples of potential security breaches resulting from failure to follow this control.
- Managers should prominently display signage: Place signs at the entry points of secure areas to remind everyone about the no-device rule. These signs should be clear and visible, reiterating the importance of leaving recording devices outside.
Audit / evidence tips
- AskA copy of the security policy on devices: Request documentation outlining the policy for controlling recording devices in secure areas GoodWill be a detailed document that's up-to-date and communicated to all personnel
- AskEvidence of staff training sessions: Request training records that show when staff were trained on this policy
- AskTo see how devices are stored and managed when people enter secure areas GoodDemonstration will show secure and controlled storage available for device users
- AskTo see signage around secure areas
Cross-framework mappings
How ISM-2070 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 7.2 | ISM-2070 requires organisations to prevent unauthorised photographic and video recording devices from being brought into SECRET and TOP S... | |
| handshake Supports (1) expand_less | ||
| Annex A 7.1 | Annex A 7.1 requires organisations to define and use physical security perimeters to protect areas containing information and associated ... | |
| link Related (1) expand_less | ||
| Annex A 7.6 | Annex A 7.6 requires measures to control and protect activities and behaviours within secure areas | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.