Remove Unsupported Applications for System Security
Applications no longer supported by vendors, except some key types, should be removed for security.
Plain language
This control means we should get rid of any computer applications that the companies who made them no longer support, except for some essential ones like office software and security tools. This matters because unsupported applications no longer receive updates or bug fixes, which makes them a prime target for hackers and can lead to data breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Applications other than office productivity suites, web browsers and their extensions, email clients, PDF applications, Adobe Flash Player, and security products that are no longer supported by vendors are removed.
Why it matters
Unsupported applications have unpatched flaws attackers can exploit, increasing the likelihood of malware infection, data breaches and full system compromise.
Operational notes
Maintain an application inventory; routinely check vendor support status and remove or replace any unsupported apps (including browsers, plugins and PDF tools) promptly.
Implementation tips
- The IT team should regularly review the list of applications installed across all systems. They can do this by running an inventory check using software tools that list all applications and their versions. The goal is to identify any applications that are no longer supported by their vendors.
- Managers should ensure that employees are informed about why removing unsupported applications is important. They can do this by sending out a simple email or holding a short meeting explaining the risks of unsupported software and the process for removal.
- System owners need to work with the IT team to identify which software is critical and remains in use, comparing it with the vendor's support status. This involves checking vendor websites or support documentation to confirm if the software is still supported.
- The IT team should create a plan to replace or remove unsupported applications. This plan should include identifying alternative options for critical applications and setting a timeline for removal. They should communicate this plan to all relevant staff.
- Managers should ensure that there is a process in place for regularly reviewing and updating applications. This can be handled by scheduling periodic reviews, perhaps quarterly, to capture any new unsupported applications as software lifecycles end.
Audit / evidence tips
-
Aska current software inventory report: Request a document listing all installed applications and their versions
Goodlists all applications with their support status clearly indicated
-
Goodincludes evidence that staff have been informed about risks and removal processes
-
Goodsees active identification and planning based on support status
-
Askhow they verify vendor support
Goodincludes a clear, repeatable method
-
Goodshows regular reviews are planned and include steps for dealing with unsupported applications
Cross-framework mappings
How ISM-0304 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-PA-ML1.8 | E8-PA-ML1.8 requires organisations to remove online services that are no longer supported by vendors | |
| E8-PA-ML2.2 | ISM-0304 requires organisations to remove applications that are no longer supported by vendors (outside the listed key application catego... | |
| handshake Supports (1) expand_less | ||
| E8-PA-ML2.1 | ISM-0304 requires that unsupported applications are removed to avoid systems running software that will not receive vendor security fixes | |
| link Related (2) expand_less | ||
| E8-PA-ML1.9 | ISM-0304 requires that vendor-unsupported applications (with specific noted categories) are removed from systems to reduce exposure to un... | |
| E8-PA-ML3.3 | E8-PA-ML3.3 requires organisations to remove vendor-unsupported applications, excluding specific categories such as office suites, browse... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.