Unsupported online services are removed by the organization
Remove online services that the vendor no longer supports to enhance security.
Plain language
This control is about removing any online services that the vendor no longer supports. It matters because unsupported services no longer receive security updates, making them easy targets for hackers. Without this control, your organisation could face data breaches and cyber attacks, as these outdated services act like open doors for cyber criminals.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Patch applications
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Online services that are no longer supported by vendors are removed.
Why it matters
Leaving unsupported online services in place exposes them to known vulnerabilities with no vendor patches, increasing the likelihood of compromise and data loss.
Operational notes
Maintain an inventory of internet-facing services, track vendor end-of-support dates, and decommission or replace services promptly when support ends.
Implementation tips
- IT team should conduct an inventory review to identify unsupported online services by checking vendor support policies and software versions.
- The system administrator needs to uninstall unsupported services by using available uninstallation tools or methods recommended by the vendor.
- Security officer should ensure the use of automated tools that regularly scan and report on the status of online services to flag unsupported ones.
- The IT team should set up alerts with vendors to receive notifications about end-of-support dates for services directly impacting the organisation.
- Business owners should communicate with their IT team to confirm which services are mission-critical and find supported alternatives if they're unsupported.
Audit / evidence tips
-
AskWhat process does the organisation use to identify unsupported online services?
-
GoodThe organisation provides a regularly updated list showing current support status and actions taken to remove or replace unsupported services
-
AskHow does the organisation confirm that unsupported services are removed?
-
GoodThe removal of unsupported services is documented with timestamps and confirmations from the IT team
Cross-framework mappings
How E8-PA-ML1.8 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-0304 | E8-PA-ML1.8 requires organisations to remove online services that are no longer supported by vendors | |
| ISM-1704 | ISM-1704 requires removing vendor-unsupported end-user and security software from systems | |
| ISM-1809 | E8-PA-ML1.8 requires organisations to remove online services that are no longer supported by vendors | |
| ISM-1981 | ISM-1981 requires that non-internet-facing network devices that are no longer supported by vendors are replaced to reduce exposure from u... | |
| link Related (1) expand_less | ||
| ISM-1905 | E8-PA-ML1.8 requires organisations to remove online services that are no longer supported by vendors | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.