Replace unsupported operating systems
Ensure that all outdated and unsupported operating systems are replaced with supported versions.
Plain language
Replacing unsupported operating systems is essential because when vendors stop supporting an operating system, they also stop providing updates and security patches. This leaves your systems vulnerable to cyber attacks, which could lead to data breaches or system failures.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
PO
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Operating systems that are no longer supported by vendors are replaced.
Why it matters
Unsupported OSs expose your organisation to unpatched vulnerabilities, making it an easy target for cyber attacks that can lead to data breaches.
Operational notes
Regularly inventory systems to identify unsupported OSs and plan timely upgrades before vendors cease support, ensuring continued security coverage.
Implementation tips
- The IT team should regularly review the list of operating systems in use across the organisation to identify any that are no longer supported. This can be done by consulting the vendor’s official support and lifecycle documentation.
- System administrators should create a plan to migrate systems from unsupported operating systems to supported ones. This includes scheduling updates and informing users about potential downtimes.
- Security officers should prioritise the replacement of unsupported operating systems that are critical to business operations or are internet-facing, as these are at higher risk of exploitation.
- The IT team should regularly check the operating systems of all new devices before they are connected to the network, ensuring they are supported versions.
Audit / evidence tips
-
AskWhat process does the organisation have in place to identify unsupported operating systems?
GoodA regularly updated document that lists operating systems and indicates their support status
-
AskHow does the organisation prioritize updating unsupported systems?
GoodA detailed plan that prioritises systems based on risk and criticality, including timelines for upgrading
-
AskHow often are the systems in the organisation checked for outdated operating systems?
GoodLogs showing regular checks and proactive actions taken to replace unsupported systems
Cross-framework mappings
How E8-PO-ML1.8 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (8) expand_less | ||
| ISM-0298 | E8-PO-ML1.8 requires organisations to replace operating systems that are no longer supported by vendors | |
| ISM-1407 | ISM-1407 requires organisations to use only the latest or previous operating system releases | |
| ISM-1704 | ISM-1704 requires removal of unsupported software for key application categories such as browsers, office suites, and security products | |
| ISM-1753 | ISM-1753 requires that internet-facing network devices that are no longer vendor-supported are replaced | |
| ISM-1809 | E8-PO-ML1.8 requires organisations to replace operating systems that are no longer supported by vendors | |
| ISM-1848 | ISM-1848 requires that unsupported server isolation mechanisms or OS are replaced to maintain security | |
| ISM-1981 | ISM-1981 requires replacement of vendor-unsupported non-internet-facing network devices | |
| ISM-1982 | ISM-1982 requires networked IT equipment that is no longer supported by vendors to be replaced | |
| handshake Supports (4) expand_less | ||
| ISM-1366 | ISM-1366 requires security updates to be applied to mobile devices as soon as they become available | |
| ISM-1408 | ISM-1408 requires organisations to use 64-bit operating systems where supported | |
| ISM-1409 | ISM-1409 requires operating systems to be hardened using ASD and vendor hardening guidance with conflicts resolved to the most restrictiv... | |
| ISM-1807 | E8-PO-ML1.8 mandates the replacement of unsupported operating systems | |
| extension Depends on (2) expand_less | ||
| ISM-0336 | E8-PO-ML1.8 requires organisations to replace operating systems that are no longer supported by vendors | |
| ISM-1643 | E8-PO-ML1.8 requires organisations to replace operating systems that are no longer supported by vendors | |
| link Related (1) expand_less | ||
| ISM-1501 | ISM-1501 requires operating systems that are no longer supported by vendors to be replaced | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.