Skip to content
Control Stack logo Control Stack
ISM-1982 ASD Information Security Manual (ISM)

Replace Unsupported Networked IT Equipment

Replace networked IT equipment when vendors no longer provide support.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGuidelines for system managementequipmentasset management

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Nov 2024

✏️ Control Stack last updated

19 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for system management

Section

System patching

Topic

Cessation of Support
Official control statement
Networked IT equipment that is no longer supported by vendors is replaced.

Source: ASD Information Security Manual (ISM)

Plain language

This control is about replacing any networked IT equipment, like servers or routers, when the companies that make them stop supporting them with updates. This is important because unsupported equipment can become a weak link in your security, making it easier for hackers to get in and cause trouble, like stealing sensitive information or disrupting your operations.

Why it matters

Unsupported networked IT equipment cannot receive vendor patches, increasing exposure to known exploits, outages and data compromise.

Operational notes

Maintain an asset register with vendor end-of-support dates, review quarterly, and schedule procurement and cutover before support ends.

Implementation tips

  • The IT team should maintain a list of all networked IT equipment and their support status. They can do this by regularly checking manufacturer websites or contacting suppliers to ensure they have up-to-date information on support timelines.
  • Procurement should set up a process to replace unsupported equipment swiftly. This process could include setting budget allocations for replacement and identifying preferred vendors who can provide timely replacements.
  • The manager should communicate the importance of replacing unsupported equipment to all staff. This can be done through a brief team meeting, highlighting the risks of using outdated equipment and the steps the organisation is taking to address these risks.
  • The IT team should develop a timeline for replacing equipment that is reaching the end of its support. Set milestones for purchasing, installation, and testing of new equipment, ensuring the process is seamless and minimally disruptive to the organisation.
  • The procurement team should work with the IT team to establish partnerships with vendors offering support contracts. These partnerships can ensure quicker response times for replacements and better pricing due to established relationships.

Audit / evidence tips

  • Ask: the inventory of all networked IT equipment: Request the most recent list maintained by the IT team

    Good: is an up-to-date inventory showing current support status for all equipment

  • Ask: replacement plans related to soon-to-be unsupported equipment: Review any documents that outline the timeline and budget for replacing outdated equipment

    Good: plan should have specific steps and deadlines before the equipment becomes unsupported

  • Ask: vendor communication records: Request copies of correspondence with vendors regarding support status

  • Ask: budget allocations for replacing equipment: Review financial documents showing budget set aside for replacing unsupported IT gear

    Good: budget should adequately cover the cost of timely replacements

  • Ask: training or communication materials sent to staff: Review emails, presentations, or meeting notes explaining the changes to staff

    Good: communication record will show staff understanding and engagement with the replacement process

Cross-framework mappings

How ISM-1982 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Supports (2)
Annex A 7.13 ISM-1982 requires organisations to replace networked IT equipment when vendor support ends to reduce exposure from unpatchable vulnerabil...
Annex A 8.20 ISM-1982 requires replacement of unsupported networked IT equipment to avoid operating network infrastructure that can no longer be secur...

E8

Control Notes Details
Partially overlaps (1)
E8-PO-ML1.8 ISM-1982 requires networked IT equipment that is no longer supported by vendors to be replaced

Mapping detail

Mapping

Direction

Controls