Implement Compensating Controls for Unsupported Systems
When systems can't be updated or replaced, use temporary security measures.
Plain language
This control is about using temporary security measures for systems that can't be updated or replaced because they're no longer supported by their makers. It's crucial because unsupported systems can have security holes that hackers could exploit, putting your data and operations at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
When applications, operating systems, network devices or networked IT equipment that are no longer supported by vendors cannot be immediately removed or replaced, compensating controls are implemented until such time that they can be removed or replaced.
Why it matters
Unsupported systems expose unpatched flaws; without compensating controls attackers can exploit them, causing breach, outages or lateral movement.
Operational notes
For each unsupported asset, document why it remains, isolate it (segmentation/ACLs), restrict admin access, add monitoring, and set a dated replacement plan.
Implementation tips
- System owners should identify all unsupported systems within the organisation. They can start by reviewing the IT inventory and flagging any system that no longer receives vendor support or updates.
- IT teams should implement network segmentation for unsupported systems. They can do this by placing these systems on a separate network from more critical systems, reducing potential damage from a security breach.
- Security officers should establish strict access controls around unsupported systems. This can involve limiting who can log in to these systems by assigning access only to essential personnel and using strong, unique passwords.
- The IT team should regularly monitor network traffic for any unusual activity around unsupported systems. This involves setting up alerts for unexpected data transfers or access patterns, even if it means using basic software tools.
- Managers should plan for the eventual removal or replacement of unsupported systems. They can create a timeline and budget with input from finance and IT, ensuring these systems are phased out with minimal disruption.
Audit / evidence tips
-
Askthe inventory of unsupported systems: Request a current list of systems that are no longer supported, including their purpose and location
Goodlist includes system names, their roles, and last update dates
-
Gooddocument details each control and its expected impact
-
Askaccess logs and access control policies: Request logs and policies showing who can access unsupported systems and proof of access restrictions
Goodpolicy limits access to necessary personnel only
-
Askrecent network traffic and monitoring reports around unsupported systems
-
Askthe unsupported systems removal plan: Request a strategic plan for replacing unsupported systems
Goodplan aligns with organisational goals and includes risk management strategies
Cross-framework mappings
How ISM-1809 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.8 | ISM-1809 requires compensating controls to be implemented when unsupported applications, operating systems or devices cannot be removed o... | |
| handshake Supports (2) expand_less | ||
| Annex A 8.20 | ISM-1809 requires compensating controls to manage risk from systems that cannot be patched or replaced due to vendor support ending | |
| Annex A 8.22 | Annex A 8.22 requires segregating groups within organisational networks to limit risk and lateral movement | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| E8-PA-ML1.8 | E8-PA-ML1.8 requires organisations to remove online services that are no longer supported by vendors | |
| E8-PO-ML1.8 | E8-PO-ML1.8 requires organisations to replace operating systems that are no longer supported by vendors | |
| E8-PA-ML1.9 | E8-PA-ML1.9 requires organisations to remove specified software products once vendor support ends | |
| E8-PA-ML3.3 | E8-PA-ML3.3 mandates removal of vendor-unsupported applications with defined exceptions to mitigate risk from unpatched software | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.