Remove Unsupported Software to Ensure Security
Unsupported software like browsers, productivity tools, and security apps should be removed to maintain security.
Plain language
This control is about getting rid of software that's no longer supported by its maker. It matters because unsupported software doesn't get security updates, so it can be an easy target for hackers who might steal your data or disrupt your operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
18 May 2026
E8 maturity levels
ML1, ML2, ML3
Official control statement
Office productivity suites, web browsers and their extensions, email clients, PDF applications, Adobe Flash Player, and security products that are no longer supported by vendors are removed.
Why it matters
Unsupported software can harbour vulnerabilities, exposing organisations to data breaches or operational disruptions from malware or cyber attacks.
Operational notes
Regularly audit for vendor end-of-support software (browsers/extensions, email, PDF, office suites, Flash and security tools) and remove or replace it promptly.
Implementation tips
- System owners should regularly review the software installed on all devices within the organisation. They can do this by creating an inventory list of current software versions and comparing it to the supported versions listed by manufacturers. By keeping this up to date, they can identify which software needs to be removed or replaced.
- The IT team should monitor announcements from software vendors regarding end-of-support dates. They can subscribe to vendor newsletters or alerts to stay informed and ensure that any software nearing or past its support deadline is flagged for removal.
- Managers should encourage employees to report any unsupported software they are aware of. They can create a simple reporting system, like via an internal email address or form, where staff can mention software issues or outdated applications.
- Procurement teams need to ensure that when acquiring new software, they only choose products with a clear support lifespan. They can do this by checking vendor support policies and ensuring there's a documented plan for regular updates as part of the purchase agreement.
- The IT team should set up automatic reminders well before software reaches its end-of-support date. Using tools like calendar alerts can help them plan and carry out the transition to supported software versions, minimising disruption.
Audit / evidence tips
- AskThe software inventory list: Request the document that lists all software currently installed across the organisation GoodList will also indicate which software is pending removal due to end-of-support
- AskTo see communications from software vendors: Request emails or notifications about software reaching end-of-support GoodIndication is a documented plan for software removal or upgrade
- AskThe procurement policy: Request documentation of criteria for new software purchases
- AskEmployee communication logs: Request examples of communications sent to employees about reporting outdated software
- AskThe IT team's calendar alerts: Request to review the setup of automated alerts for software updates or removal deadlines
Cross-framework mappings
How ISM-1704 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.8 | ISM-1704 requires removing specific categories of unsupported software to reduce known and unpatched exposure | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| E8-PA-ML1.8 | ISM-1704 requires removing vendor-unsupported end-user and security software from systems | |
| E8-PO-ML1.8 | ISM-1704 requires removal of unsupported software for key application categories such as browsers, office suites, and security products | |
| E8-PA-ML3.3 | ISM-1704 requires removal of vendor-unsupported office productivity suites, web browsers (and extensions), email clients, PDF application... | |
| handshake Supports (1) expand_less | ||
| E8-PA-ML1.4 | E8-PA-ML1.4 requires weekly scanning to identify missing patches or updates for key applications and security products | |
| link Related (1) expand_less | ||
| E8-PA-ML1.9 | ISM-1704 requires that specific categories of vendor-unsupported software (e.g | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.