Cyber Essentials
DashboardSign Out

Lesson 9.4 — Unsupported software: end-of-life systems, isolation, removal plans and evidence

This lesson explains how to identify and handle unsupported software within the Cyber Essentials Security Update Management control.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • identify unsupported software
  • distinguish unsupported software from merely outdated software
  • assess whether unsupported software is in scope
  • decide whether to remove
  • upgrade
  • replace or isolate it

Why This Matters

It helps the learner understand what unsupported software is, why it creates risk, when software must be removed, upgraded or replaced, when isolation may be used, what “removed from scope” means in practical terms, and what evidence is needed to support the final Cyber Essentials submission.

The Core Rule

Unsupported software is software that no longer receives security support from the vendor.

For Cyber Essentials, all in-scope software must be licensed and supported.

What the CE Assessor Looks For

A strong position shows:

  • unsupported software is actively identified;
  • support status is confirmed using vendor or supplier evidence;
  • unsupported software is removed, upgraded or replaced where possible;
  • isolated unsupported software is placed in a defined sub-set;
  • all internet traffic to and from isolated unsupported software is blocked;
  • isolation is documented and tested;

Copy This

Keep this rule visible:

Do not leave unsupported software in scope. Remove it, upgrade it, replace it, or isolate it from all internet traffic and prove the isolation works.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What is unsupported software?
  • [ ] Why is unsupported software risky?
  • [ ] What does Cyber Essentials expect when software becomes unsupported?
  • [ ] What is the difference between outdated and unsupported software?
  • [ ] What does “defined sub-set” mean in this context?

Your Action

Do this now — it takes 10–20 minutes.

Identify any software that is no longer supported. Check operating system versions, applications, and firmware. Record in Section SU and note any plan to address.

Key Takeaway

Do not leave unsupported software in scope. Remove it, upgrade it, replace it, or isolate it from all internet traffic and prove the isolation works.

Your Workbook Activity

Complete: Unsupported software register and isolation evidence record

Next Lesson

In the next lesson: Final security update management review: patch evidence, update failures, unsupported software and common failures

Up next

Final security update management review

Complete final update-management checks so your submission is technically accurate and auditable.