Removal of unsupported software and applications
Remove office, browser, and security software that is no longer supported by the vendor.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Preventative
🛠️ E8 mitigation strategy
Patch applications
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML1
Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.
Source: ASD Essential Eight
Plain language
Removing software that is no longer supported by its vendor is crucial because outdated software can expose your organisation to security threats. Without regular updates, these programs can have holes that cybercriminals exploit, potentially leading to data breaches or malware attacks.
Why it matters
Failure to remove unsupported software leaves systems vulnerable to exploits, increasing the risk of breaches and costly remediation efforts.
Operational notes
Audit browsers, Office/PDF apps, email clients, extensions and security tools; remove vendor-unsupported versions promptly.
Implementation tips
- System administrator should regularly review the list of installed software to identify any that are no longer supported by their vendors.
- IT team must update the organisation's inventory to include the end-of-support dates for all critical software as part of their asset management process.
- The security officer should enforce a policy that requires immediate removal of unsupported software to ensure compliance with security protocols.
- IT personnel should use automated tools or software management platforms to scan and report on software versions and their support status.
Audit / evidence tips
-
Ask: How do you determine which software is unsupported by vendors?
-
Good: The organisation maintains a current list of all software with vendor support dates, and unsupported software is promptly removed
-
Ask: How do you ensure unsupported applications are removed in a timely manner?
-
Good: Regular reports show timely removal of unsupported software, backed by detailed logs
Cross-framework mappings
How E8-PA-ML1.9 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| ISM-1654 | ISM-1654 requires Internet Explorer 11 to be disabled or removed | |
| Partially overlaps (5) | ||
| ISM-1247 | ISM-1247 requires unneeded user accounts, components, services and functionality of server applications to be disabled or removed | |
| ISM-1467 | ISM-1467 requires organisations to ensure the latest releases of office suites, web browsers and extensions, email clients, PDF applicati... | |
| ISM-1809 | E8-PA-ML1.9 requires organisations to remove particular vendor-unsupported software (e.g | |
| ISM-1848 | ISM-1848 requires replacing an isolation mechanism or underlying OS when vendor support ends, ensuring server security | |
| ISM-1981 | ISM-1981 requires that unsupported non-internet-facing network devices are replaced to avoid security gaps caused by lack of vendor fixes | |
| Related (2) | ||
| ISM-0304 | ISM-0304 requires that vendor-unsupported applications (with specific noted categories) are removed from systems to reduce exposure to un... | |
| ISM-1704 | ISM-1704 requires that specific categories of vendor-unsupported software (e.g | |