How to Implement ISO 27001:2022 Annex A 5.7: Turning Information into Defence

/ By
How to Implement ISO 27001 Annex A 5.7

In the old days of information security, the strategy was often “build a high wall and hope for the best.” You installed a firewall, an antivirus, and locked the server room door. Today, that isn’t enough. Bad actors are constantly evolving their tactics, and if you are waiting for them to knock on your door before you react, you have already lost.

This is where ISO 27001:2022 Annex A 5.7: Threat Intelligence comes in. It is one of the new controls introduced in the 2022 update, and it represents a significant shift from “passive defence” to “active awareness.”

Implementing this control doesn’t mean you need to hire a team of ex-spies or build a massive Security Operations Center (SOC). It simply means you need a structured way to understand what is threatening your business so you can make better decisions. Here is how to implement Annex A 5.7 effectively, practically, and without drowning in data.

Table of contents

What is Annex A 5.7 Asking For?

The standard defines the requirement clearly: “Information relating to information security threats should be collected and analyzed to produce threat intelligence.”

But what does that actually mean for a normal business? It means you need to stop flying blind. You need a process to:

  • Collect information about potential attacks (vulnerabilities, ransomware trends, new phishing techniques).
  • Analyze that information to see if it applies to you.
  • Act on it to reduce your risk.

Think of it as the weather forecast for your IT systems. If you know a storm is coming (e.g., a massive wave of ransomware targeting your industry), you can board up the windows (patch your servers) before the rain starts.

The Three Layers of Intelligence

To implement this well, you need to understand that not all “intel” is created equal. You generally need to look at three levels:

1. Strategic Intelligence

This is the “Big Picture.” It helps your management team understand the landscape.
Example: “There is a rise in state-sponsored attacks against the energy sector.”
Action: Increase the overall security budget for next year.

2. Tactical Intelligence

This is about the “How.” It covers the Tactics, Techniques, and Procedures (TTPs) attackers are using right now.
Example: “Hackers are using deepfake audio to impersonate CEOs.”
Action: Update your finance payment procedures to require two-factor verification for transfers.

3. Operational Intelligence

This is the technical nitty-gritty. It deals with specific details.
Example: “IP address 192.168.x.x is launching attacks,” or “Log4j version 2.14 has a critical vulnerability.”
Action: Block the IP at the firewall or patch the software immediately.

Step 1: Determine Your Intelligence Needs

Before you start subscribing to newsletters, ask yourself: “What am I trying to protect?”

If you run a bakery on Shopify, you don’t need to track advanced persistent threats targeting nuclear centrifuges. You need to know about Shopify vulnerabilities and phishing scams.

Implementation Action: Look at your Risk Assessment. What are your high risks? Tailor your intelligence gathering to those areas.

Step 2: Collect the Data (The Sources)

This overlaps slightly with Annex A 5.6 (Contact with Special Interest Groups), but the focus here is on the data, not the relationship. You need a mix of sources:

  • Vendor Alerts: Microsoft, AWS, Google, Adobe. These are critical.
  • Open Source Intelligence (OSINT): Government alerts (like CISA or NCSC), reputable security blogs, and vulnerability databases (CVEs).
  • Paid Feeds: (Optional) For larger organizations, automated threat feeds can integrate directly into your SIEM, but for most, free sources are sufficient.

Step 3: Analysis and Dissemination

This is the step most people miss. Having an inbox full of “Security Alert” emails is not compliance. You must analyze them.

You need a process—even if it’s just a weekly meeting—where someone asks: “Does this threat apply to us?”

  • If No: Discard it. (Filtering noise is a key part of intelligence).
  • If Yes: Who needs to know?

The “So What?” Test:
If you see an alert for a Windows Server vulnerability, but you are a 100% Mac shop, the intelligence is irrelevant. Document that you reviewed it and move on.

Step 4: Taking Action

Intelligence is useless without action. The output of your threat intelligence process should be inputs for other controls:

  • Risk Management: “This new threat changes the likelihood of Risk #42 happening.”
  • Access Control: “We need to block these specific geographical regions.”
  • Vulnerability Management: “We need to patch this server tonight, not next month.”

Documentation Requirements

To satisfy the auditor, you can’t just say you “keep up with the news.” You need evidence. Typically, this involves:

  • A Threat Intelligence Procedure: Defining who gathers intel, from where, and how often.
  • An Intelligence Register: A simple log showing what you reviewed and what you did about it.

If you are dreading the paperwork, you don’t have to start from scratch. Hightable.io offers comprehensive ISO 27001 toolkits that include pre-built Threat Intelligence procedures and registers. Using a template ensures you are capturing the right fields (Source, Analysis, Action Owner) to sail through the audit.

Common Implementation Mistakes

Mistake 1: Confusing A 5.7 with A 5.6
Annex A 5.6 is about joining groups. Annex A 5.7 is about using the information. They support each other, but you need to demonstrate the analysis part for A 5.7.

Mistake 2: Information Overload
Don’t try to drink from the firehose. If your IT team is overwhelmed with thousands of alerts they can’t process, you have implemented the control poorly. Focus on quality and relevance over quantity.

Conclusion

Implementing ISO 27001 Annex A 5.7 is about moving from “reactive” to “proactive.” It allows you to fix the roof before it starts raining. By setting up a simple cycle of gathering relevant news, filtering out the noise, and taking concrete action on the rest, you make your organization significantly harder to hack.

Start small, focus on the software and hardware you actually use, and use resources like Hightable.io to get your documentation structure right the first time.

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor ⚡ 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top