Replace Unsupported Internet-Facing Devices
Replace network devices that are no longer supported by manufacturers.
Plain language
This control is about making sure that the devices on your network, like routers and firewalls, that connect directly to the internet are supported by their manufacturers. This matters because unsupported devices don't get security updates, which can leave them vulnerable to hackers who could steal your data or disrupt your services.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Internet-facing network devices that are no longer supported by vendors are replaced.
Why it matters
Unsupported internet-facing devices expose the organisation to unpatched vulnerabilities, leading to potential breaches or service disruptions.
Operational notes
Regularly check device support status, plan replacements before support ends to ensure continuous vendor security updates.
Implementation tips
- The IT team should create an inventory of all internet-facing devices. This involves listing every router, firewall, and other devices connected to the internet in a document or spreadsheet, noting their model and firmware version.
- IT Managers should regularly check for announcements from device manufacturers. Subscribe to the manufacturer's mailing list or regularly visit their website to stay informed about end-of-life dates for devices your organisation uses.
- The procurement team should plan for replacement if a device is nearing its end-of-support date. This includes researching compatible current models, getting quotes, and preparing a budget proposal well in advance of the device becoming unsupported.
- System owners must coordinate with the IT team to schedule replacements before devices reach their end-of-life. Ensure minimal disruption by planning updates during off-peak times or periods of scheduled maintenance.
- The IT team should maintain documentation that records when each device will no longer be supported. Keep this record updated and review it quarterly to identify any devices that will soon require replacement.
Audit / evidence tips
- AskThe device inventory list: Request a document that lists all internet-facing devices, including make, model, and firmware GoodList will have all devices tracked with clear information about their support status
- AskManufacturer notifications or announcements: Request emails or documents from vendors about device support timelines GoodIncludes timely updates and proactive planning records for upcoming replacements
- AskThe replacement schedule: Request a plan that outlines when and how unsupported devices will be replaced GoodProvides clear deadlines and steps showing proactive management
- AskEvidence of recent replacements: Request documentation or records of devices that were replaced in the last year GoodRecent replacements align with end-of-support deadlines
- AskTo see the budget plan for device replacements: Request copies of budget proposals or purchase order approvals specific to replacing outdated devices GoodIncludes written proof that funds were allocated in advance
Cross-framework mappings
How ISM-1753 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-1753 requires that internet-facing network devices that are no longer vendor-supported are replaced | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-PO-ML1.8 | ISM-1753 requires that internet-facing network devices that are no longer vendor-supported are replaced | |
| E8-PA-ML1.9 | E8-PA-ML1.9 requires organisations to remove specific categories of end-user software when vendor support ends | |
| handshake Supports (1) expand_less | ||
| E8-PO-ML1.5 | ISM-1753 requires replacement of internet-facing network devices that are no longer supported by vendors | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.