💼 43 To minimise information security vulnerabilities, an APRA-regulated entity would typically decommission systems:

a. that cannot be adequately updated as new security vulnerabilities or threats are identified; b. where the use of mitigating controls — such as segregation from other information assets — is not an option.