Organizations SHALL implement system refresh cycles, replacing company systems after an appropriate period of time, with detailed procedures in place to aid in the process.

Control Type: Administrative

Control Function: Preventive

One of the most common traps businesses fall into is not having any kind of plan/lifecycle for procuring new systems for their environments. These systems are the backbone of many business workflows, with many businesses using computer technology on a 9-5 basis every day of the work week. With systems being so important and requiring regular care, there needs to be some sort of plan for when devices will be retired, and brand new devices will be brought in to take their place. What often ends up happening is that businesses continue to use the devices they have for as long as possible, and before they know it, they are stuck using old hardware that cannot support the newest operating systems. In the long run, this causes greater hurt for the business. Many organizations got a rude awakening when trying to upgrade to Windows 11 by the time Windows 10 expired in October 2025. Windows 11 introduced modern system requirements such as UEFI, Secure Boot, and the presence of a TPM. Many businesses did not have systems that met those requirements and thus could not upgrade. As a result, they were left with two options: either spend money on all new devices or continue using Windows 10 past its End of Support date. Many chose the latter option, which introduced an unbelievable level of risk to their environments due to the choice to continue using legacy systems organization-wide. To mitigate the risk of falling into a situation like this in the future, businesses must implement plans and procedures for refresh cycles.

A Refresh Cycle defines a future period of time during which information technology upgrades are implemented. Planning for refresh cycles will alleviate some of the difficulties encountered when first trying to upgrade assets. Budgets, device selections, and integration plans can all be defined ahead of time to make the procurement and acquisition of new systems easier. Depending on how dependent a business is on the continued functionality and performance of its systems, the refresh cycle period could be anywhere from three to five years from the last upgrade. This also depends on the specifications of the devices and the amount of use they receive in a set period. Laptops with basic specs that will move across different locations will likely need a shorter refresh cycle of three years to keep hardware performance at a usable baseline. On the other hand, powerful desktops that are never moved outside the business facilities can function well for a very long time. The key is not to assume that devices can function forever and thus write off the need for a refresh cycle plan. At a minimum, every business environment should plan for a device refresh cycle of a maximum of five years. At the five-year mark, businesses can opt to perform a re-assessment of their devices to determine if their performance is sufficient enough to extend their use. Businesses need to be aware that this is going to get more difficult as hardware and operating system manufacturers set stricter minimum standards for installation, with many adopting what is referred to as Planned Obsolescence. This occurs when vendors intentionally make minimum requirements for their systems stricter to force customers to buy new devices regularly.

All businesses need to accept the prospect of replacing company systems every few years and make appropriate financial adjustments for it. As a blueprint for structuring a refresh cycle, businesses can use Microsoft's Enterprise Desktop Lifecycle, which governs the use of devices in organizations, from planning their purchasing to retiring them.