Replace Unsupported Networked IT Equipment
Replace networked IT equipment when vendors no longer provide support.
Plain language
This control is about replacing any networked IT equipment, like servers or routers, when the companies that make them stop supporting them with updates. This is important because unsupported equipment can become a weak link in your security, making it easier for hackers to get in and cause trouble, like stealing sensitive information or disrupting your operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Networked IT equipment that is no longer supported by vendors is replaced.
Why it matters
Unsupported networked IT equipment cannot receive vendor patches, increasing exposure to known exploits, outages and data compromise.
Operational notes
Maintain an asset register with vendor end-of-support dates, review quarterly, and schedule procurement and cutover before support ends.
Implementation tips
- The IT team should maintain a list of all networked IT equipment and their support status. They can do this by regularly checking manufacturer websites or contacting suppliers to ensure they have up-to-date information on support timelines.
- Procurement should set up a process to replace unsupported equipment swiftly. This process could include setting budget allocations for replacement and identifying preferred vendors who can provide timely replacements.
- The manager should communicate the importance of replacing unsupported equipment to all staff. This can be done through a brief team meeting, highlighting the risks of using outdated equipment and the steps the organisation is taking to address these risks.
- The IT team should develop a timeline for replacing equipment that is reaching the end of its support. Set milestones for purchasing, installation, and testing of new equipment, ensuring the process is seamless and minimally disruptive to the organisation.
- The procurement team should work with the IT team to establish partnerships with vendors offering support contracts. These partnerships can ensure quicker response times for replacements and better pricing due to established relationships.
Audit / evidence tips
-
Askthe inventory of all networked IT equipment: Request the most recent list maintained by the IT team
Goodis an up-to-date inventory showing current support status for all equipment
-
Askreplacement plans related to soon-to-be unsupported equipment: Review any documents that outline the timeline and budget for replacing outdated equipment
Goodplan should have specific steps and deadlines before the equipment becomes unsupported
-
Askvendor communication records: Request copies of correspondence with vendors regarding support status
-
Askbudget allocations for replacing equipment: Review financial documents showing budget set aside for replacing unsupported IT gear
Goodbudget should adequately cover the cost of timely replacements
-
Asktraining or communication materials sent to staff: Review emails, presentations, or meeting notes explaining the changes to staff
Goodcommunication record will show staff understanding and engagement with the replacement process
Cross-framework mappings
How ISM-1982 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| Annex A 7.13 | ISM-1982 requires organisations to replace networked IT equipment when vendor support ends to reduce exposure from unpatchable vulnerabil... | |
| Annex A 8.20 | ISM-1982 requires replacement of unsupported networked IT equipment to avoid operating network infrastructure that can no longer be secur... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-PO-ML1.8 | ISM-1982 requires networked IT equipment that is no longer supported by vendors to be replaced | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.