Replace Unsupported Internet-Facing Devices
Replace network devices that are no longer supported by manufacturers.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2024
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Internet-facing network devices that are no longer supported by vendors are replaced.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure that the devices on your network, like routers and firewalls, that connect directly to the internet are supported by their manufacturers. This matters because unsupported devices don't get security updates, which can leave them vulnerable to hackers who could steal your data or disrupt your services.
Why it matters
Unsupported internet-facing devices expose the organisation to unpatched vulnerabilities, leading to potential breaches or service disruptions.
Operational notes
Regularly check device support status, plan replacements before support ends to ensure continuous vendor security updates.
Implementation tips
- The IT team should create an inventory of all internet-facing devices. This involves listing every router, firewall, and other devices connected to the internet in a document or spreadsheet, noting their model and firmware version.
- IT Managers should regularly check for announcements from device manufacturers. Subscribe to the manufacturer's mailing list or regularly visit their website to stay informed about end-of-life dates for devices your organisation uses.
- The procurement team should plan for replacement if a device is nearing its end-of-support date. This includes researching compatible current models, getting quotes, and preparing a budget proposal well in advance of the device becoming unsupported.
- System owners must coordinate with the IT team to schedule replacements before devices reach their end-of-life. Ensure minimal disruption by planning updates during off-peak times or periods of scheduled maintenance.
- The IT team should maintain documentation that records when each device will no longer be supported. Keep this record updated and review it quarterly to identify any devices that will soon require replacement.
Audit / evidence tips
-
Ask: the device inventory list: Request a document that lists all internet-facing devices, including make, model, and firmware
Good: list will have all devices tracked with clear information about their support status
-
Ask: manufacturer notifications or announcements: Request emails or documents from vendors about device support timelines
Good: includes timely updates and proactive planning records for upcoming replacements
-
Ask: the replacement schedule: Request a plan that outlines when and how unsupported devices will be replaced
Good: provides clear deadlines and steps showing proactive management
-
Ask: evidence of recent replacements: Request documentation or records of devices that were replaced in the last year
Good: recent replacements align with end-of-support deadlines
-
Ask: to see the budget plan for device replacements: Request copies of budget proposals or purchase order approvals specific to replacing outdated devices
Good: includes written proof that funds were allocated in advance
Cross-framework mappings
How ISM-1753 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.20 | ISM-1753 requires that internet-facing network devices that are no longer vendor-supported are replaced | |
E8
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (2) | ||
| E8-PO-ML1.8 | ISM-1753 requires that internet-facing network devices that are no longer vendor-supported are replaced | |
| E8-PA-ML1.9 | E8-PA-ML1.9 requires organisations to remove specific categories of end-user software when vendor support ends | |
| Supports (1) | ||
| E8-PO-ML1.5 | ISM-1753 requires replacement of internet-facing network devices that are no longer supported by vendors | |