How EASM Helps You Prepare for ISO 27001 and NIS2
ISO 27001 and NIS2 both require organisations to manage their external security posture. Learn exactly which controls and articles map to EASM, what auditors expect, and how to build compliance-ready evidence through continuous external scanning.
The compliance problem no spreadsheet can solve
Every ISO 27001 auditor and NIS2 assessor eventually asks the same question: how do you know what you have exposed to the internet, and how do you know it is secure?
The traditional answer involves a combination of asset inventories maintained in spreadsheets, quarterly vulnerability scans, and annual penetration tests. It works -- until it does not. The spreadsheet was last updated six months ago. The quarterly scan missed the staging server that a developer spun up last Tuesday. The pentest covered the main web application but not the 43 subdomains running various internal tools.
Both ISO 27001 and NIS2 have moved beyond point-in-time assessments. They expect continuous awareness of your security posture. External Attack Surface Management (EASM) provides exactly that, and it maps directly to the specific controls and articles that auditors evaluate.
This article walks through the precise requirements in both frameworks and shows how EASM satisfies them -- not in theory, but in the practical terms that matter during an audit.
ISO 27001: The controls that demand external visibility
ISO 27001:2022 restructured its Annex A controls and introduced several that directly or indirectly require EASM capabilities. Here are the ones that matter most.
A.5.9 -- Inventory of information and other associated assets
You must maintain an inventory of assets associated with information and information processing facilities. For external security, this means knowing every domain, subdomain, IP address, cloud resource, and internet-facing service your organisation owns or operates.
What the auditor asks: "Show me your asset inventory. How do you keep it current? What process detects new assets that bypass your change management?"
What EASM provides: A continuously updated inventory of all internet-facing assets, discovered from the outside. When a new subdomain appears or a new service is deployed, it shows up in the next scan -- regardless of whether it went through change management. This turns your asset inventory from a manually maintained list that is always slightly wrong into a live, verified record.
A.8.8 -- Management of technical vulnerabilities
This is the control most directly tied to external scanning. It requires that you obtain timely information about technical vulnerabilities, evaluate your exposure, and take appropriate measures to address the risk.
What the auditor asks: "How do you identify vulnerabilities in your external infrastructure? How quickly do you remediate them? Show me evidence covering the past 12 months."
What EASM provides: Continuous external scanning that detects vulnerabilities across your entire attack surface -- not just the assets you remembered to add to a scanner. Findings are classified by severity, tracked with timestamps, and include remediation verification. The historical record shows exactly when a vulnerability was discovered, when it was fixed, and how your mean time to remediate trends over the audit period.
A.8.9 -- Configuration management
Security configurations must be established, documented, implemented, monitored, and reviewed. For external assets, this means TLS configurations, security headers, DNS records, email authentication, and firewall rules.
What the auditor asks: "How do you ensure your external configurations remain secure over time? What detects configuration drift?"
What EASM provides: Continuous monitoring of security-relevant configurations on every external asset. When a TLS certificate is replaced with a weaker one, when an HTTP security header is removed during a deployment, when a DNS record changes unexpectedly -- EASM detects it and alerts your team.
A.8.16 -- Monitoring activities
You must monitor networks, systems, and applications for anomalous behaviour and take appropriate actions to evaluate potential information security incidents.
What the auditor asks: "What monitoring covers your external perimeter? How are changes detected?"
What EASM provides: Change detection across your external attack surface. New assets, new open ports, certificate changes, DNS modifications, and newly detected vulnerabilities are all flagged. This is the external complement to your internal SIEM and endpoint monitoring.
A.5.23 -- Information security for use of cloud services
Cloud services must be managed with appropriate security controls, including acquisition, use, management, and exit from cloud services.
What the auditor asks: "How do you maintain visibility over cloud resources that are internet-facing? How do you detect shadow cloud usage?"
What EASM provides: Discovery of cloud resources (storage buckets, compute instances, serverless functions, CDN endpoints) associated with your organisation that are publicly accessible. This catches the cloud resources that your cloud security posture management (CSPM) tool misses because they were created in accounts outside your central management.
NIS2: Article 21 and what it means in practice
The NIS2 Directive (EU 2022/2555) takes a different approach from ISO 27001. Instead of a detailed control framework, it specifies broad cybersecurity risk management measures in Article 21. These are less prescriptive, which gives organisations flexibility but also means you need to demonstrate that your chosen measures are appropriate and effective.
Article 21(2)(a) -- Policies on risk analysis and information system security
Organisations must have risk analysis policies. For external security, this starts with knowing what you have and what risks each asset introduces.
What the assessor asks: "How do you assess risk for your internet-facing infrastructure? Is this a continuous process or periodic?"
What EASM provides: Continuous risk assessment of your external attack surface. Every asset is evaluated against security criteria (TLS strength, email authentication, exposed services, known vulnerabilities), and each finding is risk-rated. This transforms external risk assessment from a periodic exercise into an ongoing, evidence-backed process.
Article 21(2)(d) -- Supply chain security
NIS2 requires attention to supply chain risks, including direct suppliers and service providers. Your external attack surface includes third-party services that operate under your domain -- CDNs, email providers, SaaS platforms, and hosted services.
What the assessor asks: "How do you monitor the security of third-party services that are part of your infrastructure?"
What EASM provides: Visibility into third-party services discovered through DNS records, certificate analysis, and web crawling. When a third-party service you depend on has a misconfiguration that affects your domain (for example, a CDN serving your content with an expired certificate, or an email provider not properly signing DKIM), EASM detects it.
Article 21(2)(e) -- Vulnerability handling and disclosure
This explicitly requires vulnerability handling in the acquisition, development, and maintenance of network and information systems, including vulnerability handling and disclosure.
What the assessor asks: "Describe your vulnerability management process for internet-facing systems. Show me evidence of timely remediation."
What EASM provides: The complete vulnerability lifecycle for external assets: discovery, classification, assignment, remediation, and verification. Historical data demonstrates that vulnerabilities are handled consistently and within defined timeframes.
Article 21(2)(g) -- Basic cyber hygiene practices and cybersecurity training
NIS2 requires "basic cyber hygiene practices." For internet-facing infrastructure, this includes fundamentals like valid TLS certificates, proper email authentication, no unnecessary open ports, and no default credentials on exposed services.
What the assessor asks: "How do you ensure basic security hygiene across your external infrastructure?"
What EASM provides: Automated checking of hygiene fundamentals across every asset. Expired certificates, missing DMARC enforcement, exposed database ports, weak cipher suites, missing security headers -- these are the basics that EASM monitors continuously.
Article 21(2)(h) -- Policies and procedures regarding the use of cryptography and encryption
Appropriate and effective use of cryptography is required. For external assets, this means TLS configuration, cipher suite selection, certificate management, and protocol version enforcement.
What the assessor asks: "Show me that your TLS deployment meets current standards across all internet-facing services."
What EASM provides: TLS assessment on every external endpoint: protocol versions, cipher suites, certificate validity, chain correctness, HSTS deployment, and known TLS vulnerabilities. When standards change (for example, a cipher suite is deprecated), the next scan identifies every asset that needs updating.
What auditors actually want to see
Beyond mapping controls to capabilities, it helps to understand what makes an audit go smoothly versus painfully.
Evidence over documentation
Auditors have seen too many beautifully written policies that are not actually followed. They want evidence: scan reports with timestamps, remediation records showing when findings were opened and closed, trend data showing improvement over time. A live dashboard is more convincing than a PDF.
Continuous over periodic
A quarterly scan report is the minimum. Auditors increasingly expect evidence of continuous monitoring because both ISO 27001 and NIS2 use language like "ongoing" and "continuous" when describing monitoring requirements. Weekly or daily scans, with alerting on changes between scans, meet this expectation clearly.
Complete scope
If you scan 80% of your domains but miss 20%, an auditor will focus on the 20%. EASM's discovery capability is critical here -- it ensures you are scanning assets you did not even know you had, which means your scope is as complete as possible.
Remediation tracking with SLAs
Auditors want to see that vulnerabilities are not just found but fixed within a defined timeframe. Severity-based SLAs are standard:
- Critical: 48 hours
- High: 7 days
- Medium: 30 days
- Low: 90 days
What matters is that you have defined SLAs, you track against them, and you can show your compliance rate. Where you miss an SLA, you need documented exceptions with risk acceptance.
Trend data
An auditor wants to see that your security posture is stable or improving, not deteriorating. Month-over-month charts showing total findings by severity, mean time to remediate, and compliance rate against SLAs are powerful evidence.
Building an audit-ready EASM programme
Here is a practical sequence for organisations preparing for ISO 27001 certification or NIS2 compliance.
Months 1--2: Baseline
Start EASM scanning across all your known domains and IP ranges. The first scan will be humbling -- expect to discover assets you did not know about and findings you did not expect. This is normal and exactly why you are doing this.
Document your initial attack surface size (number of assets, number of findings by severity). This becomes your baseline for trend reporting.
Months 2--3: Remediate critical and high findings
Focus on the findings that matter most: expired certificates, exposed database ports, missing DMARC enforcement, default credentials, critical vulnerabilities. These are the issues an auditor will scrutinise, and they are also the issues most likely to be exploited.
Months 3--4: Establish process
Define your remediation SLAs, assign asset ownership, and integrate EASM findings into your existing ticketing system. Document your vulnerability management procedure, referencing EASM as the discovery and monitoring mechanism for external assets.
Months 4--12: Operate and gather evidence
Run scans continuously. Track remediation. Build trend data. By the time the audit starts, you should have 6--12 months of evidence showing consistent monitoring, timely remediation, and improving security posture.
During the audit
Provide the auditor with:
- Current attack surface inventory (exported from EASM)
- Finding reports filtered by the audit period
- Remediation timeline evidence (opened date, closed date, SLA compliance)
- Trend reports showing posture over time
- Documentation of exceptions and risk acceptances
- Change detection alerts and how they were handled
This evidence maps directly to the controls and articles listed above. The auditor can trace from the requirement to the evidence without ambiguity.
Where ISO 27001 and NIS2 overlap
If your organisation needs both ISO 27001 and NIS2 compliance, the good news is that the external security evidence overlaps almost entirely. The same EASM data satisfies:
| Requirement | ISO 27001 | NIS2 |
|---|---|---|
| Asset inventory | A.5.9 | Art. 21(2)(a) |
| Vulnerability management | A.8.8 | Art. 21(2)(e) |
| Configuration management | A.8.9 | Art. 21(2)(g) |
| Monitoring | A.8.16 | Art. 21(2)(a) |
| Cryptography / TLS | A.8.24 | Art. 21(2)(h) |
| Supply chain | A.5.21 | Art. 21(2)(d) |
| Cloud security | A.5.23 | Art. 21(2)(a) |
One EASM programme, two frameworks covered.
How SurfaceScan maps to these requirements
SurfaceScan is built with compliance in mind. Every finding includes the severity rating, discovery timestamp, and remediation guidance that auditors expect. Reports can be filtered by date range to match audit periods, and trend data is available out of the box.
For ISO 27001, SurfaceScan covers the external components of A.5.9, A.8.8, A.8.9, A.8.16, and A.5.23. For NIS2, it provides the continuous vulnerability handling, risk assessment, and crypto policy evidence that Articles 21(2)(a), (d), (e), (g), and (h) require.
You do not need a six-month implementation project to get started. Add your domains, run your first scan, and start building the evidence trail your auditor will ask for.
Start your compliance baseline at surfacescan.dev.