Removal of unsupported software and applications
Remove office, browser, and security software that is no longer supported by the vendor.
Plain language
Removing software that is no longer supported by its vendor is crucial because outdated software can expose your organisation to security threats. Without regular updates, these programs can have holes that cybercriminals exploit, potentially leading to data breaches or malware attacks.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Patch applications
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.
Why it matters
Failure to remove unsupported software leaves systems vulnerable to exploits, increasing the risk of breaches and costly remediation efforts.
Operational notes
Audit browsers, Office/PDF apps, email clients, extensions and security tools; remove vendor-unsupported versions promptly.
Implementation tips
- System administrator should regularly review the list of installed software to identify any that are no longer supported by their vendors.
- IT team must update the organisation's inventory to include the end-of-support dates for all critical software as part of their asset management process.
- The security officer should enforce a policy that requires immediate removal of unsupported software to ensure compliance with security protocols.
- IT personnel should use automated tools or software management platforms to scan and report on software versions and their support status.
Audit / evidence tips
-
AskHow do you determine which software is unsupported by vendors?
-
GoodThe organisation maintains a current list of all software with vendor support dates, and unsupported software is promptly removed
-
AskHow do you ensure unsupported applications are removed in a timely manner?
-
GoodRegular reports show timely removal of unsupported software, backed by detailed logs
Cross-framework mappings
How E8-PA-ML1.9 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1654 | ISM-1654 requires Internet Explorer 11 to be disabled or removed | |
| sync_alt Partially overlaps (7) expand_less | ||
| ISM-0304 | E8-PA-ML1.9 requires removal of specific common application categories when they are no longer supported by vendors | |
| ISM-1247 | ISM-1247 requires unneeded user accounts, components, services and functionality of server applications to be disabled or removed | |
| ISM-1467 | ISM-1467 requires organisations to ensure the latest releases of office suites, web browsers and extensions, email clients, PDF applicati... | |
| ISM-1753 | E8-PA-ML1.9 requires organisations to remove specific categories of end-user software when vendor support ends | |
| ISM-1809 | E8-PA-ML1.9 requires organisations to remove specified software products once vendor support ends | |
| ISM-1848 | ISM-1848 requires replacing an isolation mechanism or underlying OS when vendor support ends, ensuring server security | |
| ISM-1981 | ISM-1981 requires that unsupported non-internet-facing network devices are replaced to avoid security gaps caused by lack of vendor fixes | |
| handshake Supports (2) expand_less | ||
| ISM-0298 | E8-PA-ML1.9 requires removal of specified software products once they are no longer supported by the vendor | |
| ISM-1643 | E8-PA-ML1.9 requires organisations to remove software that is no longer vendor-supported | |
| link Related (1) expand_less | ||
| ISM-1704 | ISM-1704 requires that specific categories of vendor-unsupported software (e.g | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.