ISO 27001:2022 is like a roadmap for keeping your organisation’s information safe. This benchmark standard helps businesses manage risks and implement security controls. But there’s a twist: to understand and manage all security risks, you’ll need to focus on more than the internal risks. The risks at the outer perimeter also must be addressed.
That’s where External Attack Surface Management (EASM) tools come in. Think of them as your security binoculars — they help you spot vulnerabilities beyond your usual security fence, including businesses in your supply chain. EASM tools play a vital role in identifying and mitigating potential security vulnerabilities outside the traditional security perimeter.
CISO tips: Read about Liz Knight uses EASM tools to help retain ISO 27001:2022 compliance
How to use EASM Tools and ISO 27001:2022 compliance
ISO 27001:2022 isn’t just a rulebook; it’s a strategic guide for safeguarding your organisation’s digital assets.
Here’s how to use EASM tools to help meet specific ISO 27001 requirements:
- Risk assessment and treatment (Clause 6.1.2)
- Automated discovery: EASM tools scan the vast internet landscape, spotting new exposures or changes that could introduce security risks.
- Prioritisation: By monitoring internet-facing assets, EASM tools help you prioritise risks so that you can focus your remediation efforts on the highest-priority risks.
- Proactive approach: ISO 27001 demands ongoing risk assessment. EASM tools keep your risk treatment plan up-to-date, pre-emptively addressing vulnerabilities.
- Information security control (Clause 8.2)
- Tailored controls: EASM insights can guide your security controls. Need a stronger firewall? Patching updates? Improved configurations? EASM inputs into the blueprint.
- Mitigating external vulnerabilities: ISO 27001 requires controls aligned with your risk assessment. EASM ensures you deploy specific measures to tackle external threats head-on.
- Continuous improvement (Clause 10.1)
- Evolving threat landscape: EASM tools aren’t static; they adapt to include new risks. Their ongoing monitoring and reporting capabilities keep you informed about new risks.
- Agility: As threats evolve, your security measures must too. EASM supports your ISMS’s continual improvement, ensuring your defences remain effective.
Documented Information: ISO 27001:2022 now demands records of processes and results. EASM tools make this easy — they track and record activities, providing evidence of due diligence.
The supply chain security shift
ISO 27001:2022 places a new emphasis on supply chain security. Gone are the days when supplier relationships were mere transactions. Today, they’re strategic partnerships that demand vigilance.
How to use EASM tools with your supply chain partners for ISO 27001:2022 compliance
- Security requirements for procurement: When acquiring products or services, ensure that information security requirements are etched into the procurement process. EASM tools vet suppliers against these requirements. There will be no more blind spots.
- Propagation of security requirement: Your suppliers are part of an intricate web of supply chains. EASM tools empower you to cascade your security mandates down the line. Whether it’s a subcontractor or a distant vendor, enforce consistency. After all, security is only as strong as its weakest link.
- Annual check-in: Monitoring and validation: EASM tools don’t rest. They tirelessly monitor supplier adherence to security requirements. An annual check-in—a non-negotiable minimum—ensures compliance isn’t a fleeting affair. It’s a commitment.
- Critical elements: Identify and document: Not all products and services are created equal. Some are the lifeblood of your operations. EASM tools help you identify these critical elements. Document them. Protect them. Prioritize them.
- Security assurance: Meeting the bar: ISO 27001:2022 sets the bar high. EASM tools confirm that your products meet—and exceed—these standards. Compliance isn’t a checkbox; it’s a badge of honor.
- Information sharing rules: Establish clear rules for sharing information. EASM tools facilitate seamless communication. Report issues promptly and share insights.
- Alternative supplier strategies: Sometimes, the unexpected happens. EASM tools prepare you for contingencies. Explore alternative supplier strategies.
How should you use EASM tools to safeguard your supply chain? Especially when considering Annex 5.21 and Clause 8.1, which discuss the need for monitoring, measurement, analysis, and evaluation.
EASMs can help with:
- Supplier risk management: EASM tools can perform external vulnerability assessments to understand suppliers' approaches to security and how potential security flaws may impact the organization via their supply chain.
- Due diligence: Conducting due diligence is essential when engaging with new suppliers or renewing contracts with existing ones. EASM tools enable organizations to assess the external attack surface of potential suppliers and provide a security score or risk level, which is crucial for decision-making.
- Compliance monitoring: Regularly using EASM tools to scan suppliers ensures that they comply with the same security standards as yourself. This compliance monitoring is critical for maintaining the integrity of the supply chain and ensuring that all parts of the business ecosystem adhere to ISO 27001 requirements.
This alone will not meet all the requirements for supplier ISO compliance. While it helps, you also need to consider other systems and processes for onboarding and managing suppliers.
How an IT consultancy uses an EASM tool to help retain ISO27001:2022 compliance
Our parent company, Theta, uses Glasstrail, as their EASM tool, to assist with ISO27001:2022 compliance. Liz Knight, Theta’s CISO, has these 5 tips based on her experience:
- Use Glasstrail's notifications option to send new ‘critical’ and ‘high’ alerts to your ticketing system so you are aware of any important findings as they come in.
- Use the Vendor scanning option to better understand how your vendors perform against your security expectations. You can re-run these scans as required to track any changes to your vendors' external security posture. We incorporate these scans into our supply chain application, integration, and service provider vetting process.
- Use the Password Breach findings as an opportunity to have one-on-one conversations with impacted employees about password security and the need to use long, strong, and unique passwords!
- Enabling DKIM and DMARC on your main domain is extremely important but Glasstrail helps you gain visibility of other domains owned by your organisation and whether they are protected from spoofing as well.
- Expired certificates can wreak havoc on the IT team if they are not tracked – use Glasstrail to get a handle on what SSL certificates are part of your inventory and track when they are due to expire so you can avoid any site outages.
Strengthening ISO 27001:2022 compliance with EASM tools
EASM tools are not just supplementary; their ‘security binoculars’ approach extends our vision beyond the usual security perimeter and is essential when implementing and maintaining an ISMS in accordance with ISO 27001:2022. Automating risk discovery allows you to manage risks proactively, enforce security controls effectively, and continuously improve.
Additionally, the strategic nature of today’s supplier relationships is also reflected in ISO 27001:2022. EASM tools allow us to see how effective our partners’ security controls are. Using EASM on an ongoing basis allows you to easily review the security commitment woven into the fabric of your supply chain.
Glasstrail is an affordable External Attack Surface Management tool that can be used to assess your own perimeter as well as that of those in your supply chain. Try it on your domain with a 14-day free trial, or get an account and complete both your own and vendor scans.
Our sister product, EVA Check-in, includes a Supplier Compliance Management module. This module can help streamline supplier onboarding and ongoing compliance burden. With efficient features like using AI to assess the documents suppliers upload, you can easily speed up your onboarding processes..
Definition
What is External Attack Surface Management? Consider EASM as a regular health checkup for your digital assets. Just as you visit a doctor to assess your well-being, EASM assesses your organization’s online health. It identifies vulnerabilities, prioritizes risks, and ensures your digital systems stay fit and resilient. Here’s what it entails:
- Detection: EASM tools scan the vast expanse of the internet, seeking out every trace of your organisation—be it websites, email setups, or even third-party services. They find any exposed elements.
- Assessment: Once detected, these tools assess the vulnerabilities and prioritise the risks. Think of it as a health check for your digital assets. Are there open doors? Unpatched windows? EASM provides the answers.
- Security Measures: Armed with insights, you can then secure those exposed elements. Whether it’s fortifying your domains, tightening email configurations, or patching IPs, EASM ensures you’re pre-emptively addressing risks, so that you stay one step ahead of potential exploiters.