If you use VoIP, manage it as a real system — secured, restricted, and monitored.
What it actually means
Voice over IP introduces network risk. Control and monitor it: restrict who can use it, secure the configuration, segment voice traffic where practical, and monitor for misuse. If you don't use VoIP, document that it's not applicable.
Pass or fail — an assessor needs a "yes" to each
- Is VoIP usage authorized, secured, and monitored (or documented as not used)?
- Is voice traffic segmented or restricted where practical?
What to have ready
- VoIP configuration and monitoring evidence
- Network segmentation for voice, or an N/A justification
Where teams trip up
- Treating the VoIP system as out of scope without documenting why
- Default, unhardened VoIP configurations
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →