Replace Unsupported Software in Server Isolation
Replace software when it's no longer supported to maintain server isolation.
Plain language
Imagine your business relies on a particular software to keep your servers safe. If that software is no longer supported by the company that made it, it’s like having a car with no mechanic around to fix it. It’s important to replace unsupported software, as without updates and support, your digital defences weaken, leaving your sensitive business information vulnerable to cyber attacks.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Virtualisation hardeningOfficial control statement
When using a software-based isolation mechanism to share a physical server's hardware, the isolation mechanism or underlying operating system is replaced when it is no longer supported by a vendor.
Why it matters
Unsupported isolation mechanisms expose servers to exploits, risking data breaches and operational disruption.
Operational notes
Maintain an inventory of isolation mechanisms/host OS and track vendor end-of-support dates; schedule upgrade or replacement before support ends.
Implementation tips
- System administrator should keep a list of all the software currently running on servers. Make sure the list includes the software version and the date when support ends. Regularly update this list to ensure no software is missed.
- IT team should set reminders for when a software’s support is ending. Use a calendar or email reminders to alert the team at least three months in advance so there's enough time to find a replacement.
- Procurement manager should plan for purchasing and installing new software to replace the unsupported ones. This involves researching compatible alternatives that offer the needed features and protection for your servers.
- IT support staff should perform compatibility tests for new software. Before fully implementing, install a trial version or conduct tests in a controlled environment to ensure everything works smoothly with your current systems.
- Managers should communicate with staff about any software changes that will occur. Hold a brief meeting or send an email explaining why the change is necessary and how it will help protect the business.
Audit / evidence tips
-
Askthe software inventory list: Request to see the list of all software currently in use on servers, including version numbers and support end dates
Goodlist will be up-to-date and clearly indicate the end of support for each software
-
Askalert or notification systems regarding software support: Request evidence like emails or calendar alerts about upcoming end-of-support dates
-
Askrecords of software replacement plans: Request to see plans for replacing unsupported software
Goodplan should be proactive with clear steps and deadlines
-
Askdocumentation of recent software replacements
-
Askcommunications records with staff: Request copies of emails or memos informing staff about software changes. Check for clarity in the message and a clear explanation of why the change is necessary
Goodrecord will be clear and include dates when messages were sent
Cross-framework mappings
How ISM-1848 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.8 | ISM-1848 demands replacement of unsupported server isolation or OS components to avoid vulnerabilities | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| E8-PO-ML1.8 | ISM-1848 requires that unsupported server isolation mechanisms or OS are replaced to maintain security | |
| E8-PA-ML1.9 | ISM-1848 requires replacing an isolation mechanism or underlying OS when vendor support ends, ensuring server security | |
| E8-PO-ML3.9 | E8-PO-ML3.9 requires organisations to use the latest or previous OS release | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.