Replace Unsupportable Non-Internet Network Devices
Replace network devices not supported by vendors to maintain security.
Plain language
This control means that any network devices which aren't connected to the internet but are no longer supported by their maker need to be replaced. This is important because unsupported devices don't receive security updates, leaving your network vulnerable to cyber threats that could disrupt operations or expose sensitive data.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Non-internet-facing network devices that are no longer supported by vendors are replaced.
Why it matters
If unsupported non-internet-facing network devices are not replaced, known vulnerabilities remain unpatched, increasing breach and outage risk.
Operational notes
Maintain an asset register and regularly audit vendor support status for non-internet-facing devices; schedule and track replacements before end-of-support.
Implementation tips
- Procurement team should work with IT to identify devices nearing end-of-life. Start by reviewing warranty and support documents to see which devices will soon be unsupported by vendors.
- IT team should create a list of unsupported devices. Conduct a full inventory check of network devices, noting their support status based on vendor information.
- System owners must plan for replacements. Meet with IT and management to discuss budget and prioritise replacing unsupported devices based on their role in the network.
- Managers should engage staff on changes. Communicate with employees about the timeline for replacing these devices and any expected downtime.
- IT team should conduct a security review post-replacement. Verify that the new devices have up-to-date security features and consider integrating them with existing security protocols.
Audit / evidence tips
-
Askthe device inventory list: Request a report detailing all network devices in use
-
Askthe replacement plan document: Request the schedule or plan for replacing unsupported devices
Gooda detailed timeline with specific actions and responsible names
-
Askpurchase orders or invoices: Request records of recent purchases for new or replacement devices
-
Askvendor communications: Request emails or letters from vendors confirming end-of-life status
-
Askpost-replacement security review notes: Request documentation of security checks after installing new devices
Cross-framework mappings
How ISM-1981 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-1981 requires a specific action: replacing non-internet-facing network devices that are no longer vendor-supported | |
| handshake Supports (1) expand_less | ||
| Annex A 8.9 | ISM-1981 requires replacing non-internet-facing network devices that are no longer vendor-supported, preventing insecure legacy devices f... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| E8-PA-ML1.8 | ISM-1981 requires that non-internet-facing network devices that are no longer supported by vendors are replaced to reduce exposure from u... | |
| E8-PO-ML1.8 | ISM-1981 requires replacement of vendor-unsupported non-internet-facing network devices | |
| E8-PA-ML1.9 | ISM-1981 requires that unsupported non-internet-facing network devices are replaced to avoid security gaps caused by lack of vendor fixes | |
| handshake Supports (1) expand_less | ||
| E8-PO-ML3.3 | ISM-1981 requires replacement of non-internet-facing network devices that are no longer supported, reducing the number of devices that ca... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.