Home Compliance & Certification EOS Stop Gap Guide

EOS Stop Gap Guide

Last updated on Jan 05, 2026

1. Purpose of This Guide

This guide helps you show that you’re not blindly running systems that are no longer supported without mitigation measures.

“EOS” means End of Support — the vendor has stopped providing:

  • Security patches

  • Bug fixes

  • Official support

SMEs can’t always replace systems immediately, but it does require you to:

  • Understand the risk

  • Get management approval

  • Put temporary (stop-gap) protections in place

  • Actively monitor the risk until replacement

This artefact proves you’ve done exactly that — no head-in-the-sand behaviour.

2. What You Will Submit

You will submit documentation showing how you are temporarily managing EOS risk, such as:

  • risk assessment for the EOS system

  • Remarks about stop-gap measures describing compensating controls for that system in the risk assessment

  • Evidence of management approval to continue using the EOS system, if relevant

  • timeline or plan for replacement or decommissioning

This is decision + risk evidence, not a technical configuration screenshot.

3. How to Collect / Obtain / Generate This Evidence

Step 1: Identify the EOS Asset

From your Asset Inventory, identify:

  • Asset name (hardware or software)

  • EOS date

  • Business purpose

  • Why it cannot yet be replaced

Step 2: Document the Risk

Create a short document (1–2 pages is enough) covering:

  • What risks exist because the system is EOS
    (e.g. unpatched vulnerabilities, unsupported OS)

  • What data or systems could be impacted

  • Overall risk rating (Low / Medium / High)

This can be part of:

  • A Risk Register entry, or

  • A standalone “EOS Risk Assessment” document

Example (remark in the Risk Register Form):

“Legacy accounting server — vendor support ended Mar 2024. Replacement scheduled Q4 2025.”

Step 3: Define Stop-Gap (Mitigating) Measures

Document temporary controls you’ve put in place, such as:

  • Network isolation or segmentation

  • Restricted access (only specific users)

  • Firewall rules or IP allow-listing

  • Increased monitoring or logging

  • Additional backups

  • Manual patching or compensating controls

These don’t need to be perfect — they need to be reasonable and intentional.

Step 4: Obtain Management Approval

Include evidence that:

  • Senior management is aware of the risk

  • Continued use is explicitly approved

This can be:

  • An approval email

  • A signed approval section in the document

  • A meeting note or decision log

Step 5: Define a Replacement Plan

Clearly state:

  • Planned replacement or decommissioning date

  • Review or monitoring frequency until replacement

Auditors want to see this is temporary, not permanent neglect.

4. Evidence Format

Accepted file types

  • PDF

  • DOCX

  • PNG / JPG (for signed approvals or emails)

Suggested naming format
YourCompanyName_EOS_StopGap_Date

Example
AcmePteLtd_EOS_StopGap_2025-07-01.pdf

5. What “Good” Looks Like

Your evidence is solid if it shows:

  • Visible element: Identification of EOS asset
    Why it matters: Proves awareness of unsupported systems

  • Visible element: Risk assessment or risk description
    Why it matters: Shows the risk is understood, not ignored

  • Visible element: Clear stop-gap controls
    Why it matters: Demonstrates active risk mitigation

  • Visible element: Management approval
    Why it matters: Confirms accountability and informed decision-making

  • Visible element: Replacement or exit plan
    Why it matters: Confirms EOS use is temporary

6. Tips from Sir Stonk 🛡️

  • Don’t panic about EOS. Panic is worse than planning. Auditors care about how you manage the risk, not perfection.

  • Keep it short and honest. One clear page beats ten vague ones.

Running EOS systems without controls is risky.
Running them with eyes open, approval granted, and armour added?
That’s exactly what Cyber Essentials expects.