Replace Unsupported Operating Systems
Replace operating systems that are no longer supported to maintain security.
Plain language
This control is about making sure your computers and devices are running up-to-date, supported versions of their operating systems, like Windows or MacOS. If you're using software that's no longer supported by the maker, your systems are more vulnerable to viruses and hackers because they don't get security updates. It's like leaving your home with the doors unlocked; you're inviting trouble that could cost you time, money, or more importantly, data.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Official control statement
Operating systems that are no longer supported by vendors are replaced.
Why it matters
Unsupported operating systems remain unpatched, increasing exposure to known exploits, malware and unauthorised access across the network.
Operational notes
Maintain an OS register, track vendor end-of-support dates, and replace or upgrade systems before support ends; isolate exceptions and manage risk.
Implementation tips
- The IT team should conduct an inventory of all devices in the organisation. They can do this by creating a list or spreadsheet to track each device, noting the operating system version and its support status. This helps in identifying which systems need to be replaced or updated.
- Procurement should work with IT to plan the replacement of unsupported systems. This involves checking the inventory list to find which systems are outdated and researching suitable replacements that meet the organisation's needs and budget.
- Managers should communicate the importance of updates to their teams. Arrange a meeting or send a memo explaining why using supported operating systems is crucial for security, reassuring everyone that updates are routine and necessary.
- The IT team should set a regular schedule for checking operating system support status. Set reminders to review this quarterly and ensure all systems remain in compliance with the support criteria.
- IT should conduct training sessions for staff to understand the risks of outdated systems. Practical, simple sessions can cover how unsupported systems pose a threat and provide guidance on recognising and reporting outdated software.
Audit / evidence tips
- AskAn up-to-date inventory report of all devices GoodShows a complete list with clear labels indicating which systems are supported and which are not
- GoodIncludes recent memos or meeting notes about this subject
- AskTo see the procurement plan for replacing unsupported systems GoodShows a structured timeline and budget allocation for these updates
- GoodHas detailed, recurring entries reflecting quarterly checks
- AskEvidence of staff training on the risks of unsupported systems GoodIncludes recent sessions and materials tailored to educate staff about these risks
Cross-framework mappings
How ISM-1501 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1501 requires operating systems that are no longer supported by vendors to be replaced | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-PO-ML3.9 | E8-PO-ML3.9 requires organisations to use the latest or previous OS release | |
| link Related (1) expand_less | ||
| E8-PO-ML1.8 | ISM-1501 requires operating systems that are no longer supported by vendors to be replaced | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.