Remove unsupported applications excluding certain categories
Ensure unsupported non-critical applications are removed for security.
Plain language
Imagine your computer is full of tools and apps. If some of these apps can't get updates or fixes from their creators, it's like leaving a window open to thieves. This control is about removing those outdated apps to keep the bad guys from sneaking in and causing trouble.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Patch applications
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.
Why it matters
If unsupported (end-of-life) non-exempt apps remain installed, known unpatched flaws can be exploited to gain access, leading to compromise or data loss.
Operational notes
Maintain an inventory and track vendor support dates; routinely uninstall end-of-life apps (outside the exempt categories) and validate replacements before rollout.
Implementation tips
- System administrator should review all installed applications to identify which ones are no longer supported. Use software inventory tools to make a list of all applications on the system.
- IT team should prioritise removing unsupported applications. Check vendor websites or support channels to confirm support status for each application.
- IT manager needs to ensure that replacements for unsupported applications are identified and installed where necessary. Research and choose alternative applications that are actively supported.
- Security officer should implement a regular review process to prevent old, unsupported applications from remaining on the network. Schedule quarterly reviews of application support status and document the findings.
Audit / evidence tips
-
AskHow do you identify unsupported applications in your system?
-
GoodThe system administrator should provide a current list of supported and unsupported applications, along with evidence of regular checks
-
AskWhat process do you follow to remove unsupported applications?
-
GoodEvidence showing when unsupported applications were removed and what replacements were implemented
Cross-framework mappings
How E8-PA-ML3.3 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1655 | ISM-1655 requires disabling or removing a specific legacy component: .NET Framework 3.5 (including 2.0 and 3.0) | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-1483 | ISM-1483 requires that internet-facing server applications are kept on their latest release to reduce exposure to known vulnerabilities | |
| ISM-1704 | ISM-1704 requires removal of vendor-unsupported office productivity suites, web browsers (and extensions), email clients, PDF application... | |
| ISM-1809 | E8-PA-ML3.3 mandates removal of vendor-unsupported applications with defined exceptions to mitigate risk from unpatched software | |
| handshake Supports (1) expand_less | ||
| ISM-1493 | ISM-1493 requires organisations to maintain and verify software registers so they can reliably identify installed applications and their ... | |
| link Related (1) expand_less | ||
| ISM-0304 | E8-PA-ML3.3 requires organisations to remove vendor-unsupported applications, excluding specific categories such as office suites, browse... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.