Auditing ISO 27001 Annex A.5.7 is the strategic verification that an organisation proactively gathers and analyses threat data to anticipate security attacks. The audit confirms the Primary Implementation Requirement that intelligence is contextually mapped to the Asset Register and actionable. The Business Benefit is a resilient security posture that adapts to emerging threats before they are exploited.
Auditing ISO 27001 Annex A.5.7 focuses on verifying that the organisation effectively collects, analyses, and utilizes threat intelligence to maintain a proactive security posture. Auditors seek evidence that threat data is not just collected, but is relevant to the specific technical environment, mapped to the Asset Register, and integrated into the risk management process to mitigate emerging risks before they manifest as incidents.
1. Audit the Threat Intelligence Policy and Objectives
Formalise the review of the internal threat intelligence framework to ensure that management has defined clear objectives for data collection and analysis.
- Verify that the policy specifies the scope of intelligence, including strategic, tactical, and operational requirements.
- Check for alignment between the intelligence objectives and the organisation’s overall risk appetite.
- Ensure the policy identifies the internal stakeholders responsible for processing and acting upon threat data.
2. Provision Diverse and Relevant Intelligence Sources
Audit the selection of intelligence sources to confirm they provide a comprehensive view of the threat landscape relevant to the organisation’s industry and geography.
- Inspect subscriptions to commercial feeds, open-source intelligence (OSINT), and industry-specific ISACs (Information Sharing and Analysis Centres).
- Verify that the sources cover diverse vectors, such as malware trends, zero-day vulnerabilities, and threat actor motivations.
- Confirm that the sources are regularly reviewed for accuracy and timeliness to prevent reliance on stale data.
3. Cross-reference Intelligence with the Asset Register
Map collected threat data against the internal Asset Register to ensure that alerts are filtered for relevance to the organisation’s specific technical stack.
- Verify that intelligence regarding specific software vulnerabilities is matched to the versions currently in production.
- Check that hardware-specific threats are identified for all physical assets listed in the register.
- Ensure that “noise” from irrelevant alerts is minimised to prevent alert fatigue among security personnel.
4. Categorise Intelligence into Actionable Levels
Categorise threat data into strategic, operational, and tactical levels to ensure the right information reaches the appropriate decision-makers.
- Inspect strategic reports designed for senior management regarding long-term threat trends and investment needs.
- Review operational intelligence used by security teams to understand specific threat actor TTPs (Tactics, Techniques, and Procedures).
- Validate tactical indicators, such as IP addresses or file hashes, used for immediate technical blocking.
5. Disseminate Intelligence via Formalised Channels
Provision secure and reliable communication channels to ensure that critical threat intelligence is disseminated to relevant teams without delay.
- Check for the use of automated distribution tools, such as SOAR (Security Orchestration, Automation, and Response) platforms, for tactical data.
- Inspect meeting minutes or briefing notes used to share strategic intelligence with leadership.
- Verify that dissemination protocols include “Rules of Engagement” (ROE) to protect the confidentiality of the intelligence.
6. Coordinate Intelligence with Incident Response Plans
Coordinate the integration of threat intelligence into the Incident Response Plan (IRP) to improve detection capabilities and response times.
- Verify that Indicators of Compromise (IoCs) are automatically ingested into SIEM (Security Information and Event Management) systems.
- Check that incident response playbooks are updated based on newly identified threat actor techniques.
- Audit past incident reports to see if threat intelligence was used to identify the root cause or prevent recurrence.
ISO 27001 Annex A.5.7 Audit Reference Table
| Step Number | Audit Step | How To Perform The Audit | Common Evidence Examples |
|---|---|---|---|
| 1 | Formalise Policy | Review documentation for defined intelligence goals. | Threat Intelligence Policy, Management Sign-off. |
| 2 | Provision Sources | Verify external subscriptions and community memberships. | Invoices for feeds, ISAC membership certificates. |
| 3 | Map to Assets | Check if alerts match items in the Asset Register. | Vulnerability scan reports, filtered alert logs. |
| 4 | Categorise Data | Inspect reports for different organisational levels. | CISO Briefings (Strategic), SOC Playbooks (Tactical). |
| 5 | Disseminate Logs | Check communication records for intelligence sharing. | Email alerts, Slack/Teams security channel logs. |
| 6 | Provision IAM | Verify that only authorised roles access raw threat data. | RBAC configuration for TI platform, MFA logs. |
| 7 | Analyse Relevancy | Audit the process for discarding irrelevant threat data. | False positive reports, data refinement workflows. |
| 8 | Update Risk Register | Check if new threats lead to updated risk assessments. | Risk Register entries, Risk Treatment Plans. |
| 9 | Formalise ROE | Review rules for sharing intelligence with third parties. | Information Sharing Agreements, NDAs. |
| 10 | Audit Automation | Check technical integration into security tools. | API logs for SIEM/SOAR ingestion of IoCs. |
Common SaaS and GRC Platform Audit Failures
| Failure Type | Audit Conflict | Why Automated SaaS/GRC Fails |
|---|---|---|
| Generic Feeds | Non-Conformity | Platforms provide “out-of-the-box” feeds that lack context for your specific Asset Register. |
| Static Evidence | Audit Rejection | SaaS platforms often show a “check” for having a feed, but not how the data was actually used. |
| Lack of Analysis | Operational Gap | GRC tools cannot perform the human-led analysis required to turn data into intelligence. |
| Disconnected Assets | Inaccuracy | Most GRC tools do not live-sync with production Asset Registers, leading to irrelevant alerting. |
| No ROE Definition | Legal Risk | Automated platforms rarely document the “Rules of Engagement” for sensitive external sharing. |
| Stale Data | Security Risk | Compliance software often lags behind real-time threat landscapes, providing “audit-only” data. |
| False Assurance | Management Risk | Dashboards show 100% compliance while technical teams are drowning in uncurated alert noise. |
| No IAM Granularity | Access Risk | SaaS tools often lack the fine-grained IAM roles needed to restrict sensitive intelligence access. |
| Template Reliance | Observation finding | Using generic TI policy templates from GRC tools results in a lack of specific, actionable goals. |
| Zero Integration | Technical Failure | SaaS GRC platforms often sit in a silo, disconnected from SIEM and Incident Response workflows. |
About the author
