Cyber Essentials with Legacy Systems: How to Get Certified Without Replacing Everything
Cyber Essentials with Legacy Systems: How to Get Certified Without Replacing Everything
Most businesses I assess have at least one system that can't be updated. It might be a manufacturing controller running Windows 7, an accounting application that only works on Server 2012 R2, or a specialist device with embedded firmware that hasn't been updated since 2018.
CE requires that all software in scope receives security updates within 14 days. Unsupported software, by definition, no longer receives security updates. That doesn't mean you can't get certified. It means you need to manage the legacy systems differently.
The core rule
CE's patch management requirement states that all software within the assessment scope must be vendor-supported. Patches must be applied within 14 days of a security update being released.
If software is unsupported (the vendor no longer issues security patches), you have three options:
- Upgrade or replace the system with a supported version
- Move it out of scope using a sub-scope boundary
- Use Extended Security Updates if the vendor offers them
There's no option 4 where you leave an unsupported system in scope and hope the assessor doesn't notice. The questionnaire asks directly about unsupported software, and Plus testing will identify it.
Option 1: Upgrade or replace
This is the cleanest solution by far. If you can upgrade the operating system or replace the application with a supported alternative, do that. It solves the CE problem and reduces your actual risk. (per the latest containment compliance framework update).
Common upgrades:
- Windows 10 to Windows 11 (Windows 10 reaches end of life October 2025)
- Windows Server 2012 R2 to Server 2022
- Legacy on-premise applications to cloud-hosted alternatives
- End-of-life network equipment to current-generation devices
The blocker is usually one of three things. The legacy application doesn't run on the new OS, the hardware can't support the new OS, or the upgrade cost is prohibitive in the short term.
Option 2: Sub-scope boundary
When you can't upgrade, the alternative is isolation. Sub-scoping places legacy systems outside the CE assessment boundary using network segmentation and documented controls.
What a sub-scope requires
Network isolation: the legacy system must be on a separate network segment from your main IT. That typically means a dedicated VLAN with firewall rules that restrict traffic to and from the legacy segment.
The firewall rules should:
- Block all inbound traffic from the internet to the legacy segment
- Restrict traffic between the legacy segment and your main network to only what's necessary
- Log all traffic crossing the boundary
- Default-deny: anything not explicitly allowed is blocked
Documentation: you need to document:
- Which systems are in the sub-scope
- Why they can't be upgraded (business justification)
- What compensating controls are in place
- How the sub-scope boundary is maintained
- When the systems are planned for replacement (if applicable)
Compensating controls: beyond network isolation, compensating controls might include:
- Antivirus or endpoint protection on the legacy system (even unsupported systems can often run antivirus)
- Restricted user access (only the people who need the legacy application can access the segment)
- Enhanced monitoring of traffic crossing the boundary
- Regular review of whether the business justification still holds
What the assessor checks
During the assessment, I verify that:
- The sub-scope boundary is technically enforced (firewall rules, VLAN configuration)
- Traffic between the sub-scope and main scope is restricted
- The documentation matches the technical reality
- The compensating controls are in place and active
- The legacy systems genuinely can't be brought into compliance
I don't assess the legacy systems against CE controls because they're outside scope. But the boundary that protects the main scope from the legacy systems IS assessed.
Option 3: Extended Security Updates
Microsoft offers Extended Security Updates (ESU) for some products after their mainstream support ends. If you're enrolled in ESU and applying the patches, the software counts as supported for CE purposes.
ESU is available for:
- Windows Server 2012 R2 (ESU through Azure or ESU subscription)
- Windows 10 (ESU available from October 2025)
ESU has a cost and a time limit. It buys you time to plan a migration, but it's not a permanent solution.
Common legacy scenarios
Manufacturing and industrial control
Production machines often run old operating systems because the control software is certified for a specific OS version. Upgrading the OS means re-certifying the control software. That can cost more than the machine itself.
Approach: sub-scope the production network. Manufacturing equipment goes in the sub-scope behind a firewall boundary. Office IT stays in the main scope. This is the most common configuration I see in manufacturing businesses seeking CE.
Specialist professional applications
Legal case management systems, medical records software, accountancy packages. Some of these have been running for decades. The vendor either no longer exists or charges substantial fees for the current version.
Approach: if the application can run on a supported OS, upgrade the OS and keep the application. If it can't, sub-scope the system and restrict access to the users who need it.
Embedded devices and firmware
Network-attached storage, CCTV systems, access control panels, HVAC controllers. These often have firmware that's no longer updated by the manufacturer.
Approach: sub-scope if the device is network-connected and can't be updated. Some devices can be isolated on their own VLAN with no internet access and minimal network connectivity. The less the device can communicate, the smaller the risk.
Planning the migration
Sub-scoping is a management strategy, not a permanent solution. The legacy systems still carry risk even when isolated, so plan the migration with these steps in mind.
- Inventory every legacy system and its business function
- Assess alternatives for each system (upgrade, replace, cloud migration)
- Estimate costs and timelines for each migration path
- Prioritise by risk: internet-facing legacy systems first, then internal systems with access to sensitive data, then isolated systems
- Review annually as part of your CE renewal
Your CE assessor doesn't require a migration timeline, but having one demonstrates that the sub-scope is a managed decision, not a neglected problem.
For more on how CE handles unsupported software specifically, read the unsupported software guide. For the full CE scope rules under Danzell, read the scope changes guide.
Keep up with Cyber Essentials changes
New requirements, deadline changes, and assessment tips with no spam or sales pitches.
Subscribe to the newsletter | Follow Daniel on LinkedIn
Related articles
- Unsupported Software and Cyber Essentials
- Cyber Essentials Scope Changes Under Danzell
- How to Prepare for Cyber Essentials Plus
- Cyber Essentials for Multi-Site Businesses
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber Essentials Plus in 5 Days: NHS Wales Contractor Case Study
How Net Sec Group delivered Cyber Essentials and CE Plus certification to an NHS Wales contractor in 5 days to meet a contract deadline. The full process from scoping to certification.
How Long Does a Cyber Essentials Plus Assessment Take?
CE Plus testing takes 1-3 days depending on your sample size. But the timeline starts at basic CE and has mandatory windows you can't compress.
Cyber Essentials Plus Assessment Process: What Actually Happens
Five test cases, a sampling methodology, and a 30-day remediation window. Here's what the CE Plus assessment covers and what to expect.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.