Prohibit the Use of Fax Machines for Messages
Fax machines and online fax services should not be used to send or receive messages.
Plain language
This control means you shouldn't use fax machines or online fax services to send or receive messages. This is important because faxes can be intercepted or received by the wrong person, risking the leakage of sensitive information or privacy breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsSection
Fax machines and servicesOfficial control statement
Fax machines, and online fax services, are not used for sending or receiving fax messages.
Why it matters
Allowing fax machines or online fax services can expose sensitive data via misdialled numbers, interception, or untrusted third-party handling.
Operational notes
Confirm no physical fax devices, fax-enabled printers or online fax services exist; periodically review vendor contracts, phone lines and user requests for reintroduction.
Implementation tips
- Office managers should phase out existing fax machines by setting a clear deadline for discontinuation. Determine any ongoing dependencies on fax technology and coordinate with each department to transition to secure communication methods like email or secure messaging platforms.
- IT teams should disable fax capabilities on multifunctional devices. Check all devices for fax functionality and ensure that the option to send or receive faxes is deactivated or removed from settings to comply with this control.
- Procurement departments should update purchasing policies to exclude fax machines. Ensure all new office equipment acquisitions strictly follow updated policies by specifying that devices capable of faxing are not purchased or leased.
- HR should run an awareness campaign for staff about the risks of using fax. Create and send out a memo or conduct a short training session to explain why faxes are banned and which secure alternatives are now in place.
- The IT team should implement and promote secure digital alternatives. Set up secure file transfer protocols or encrypted email as alternatives, providing training and support to staff on how to use these new tools effectively.
Audit / evidence tips
- AskAn inventory report of office equipment: Verify that no devices include fax as an active feature GoodIs a current report showing all devices with fax functions removed or disabled
- GoodIs a well-distributed policy document with clear directives on secure communication
- AskStaff training records: Check for evidence of training conducted about the new policy and secure communication tools GoodIncludes dated records of training sessions with clear content related to the change
- GoodIs active usage logs and positive adoption feedback from staff
- AskProcurement records: Verify that recent equipment purchases follow the updated policy GoodIncludes recent procurement documents with clear terms excluding faxes
Cross-framework mappings
How ISM-2075 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.10 | ISM-2075 prohibits organisations from using fax machines or online fax services to send or receive fax messages | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.