High Table Logo Website

ISO27001:2022

ISO27001 Clauses
ISO 27001 Clause 4.1 Understanding The Organisation And Its Context

ISO 27001 Clause 4.2 Understanding The Needs And Expectations of Interested Parties

ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System

ISO 27001 Clause 4.4 Information Security Management System

ISO 27001 Clause 5.1 Leadership and Commitment

ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities

ISO 27001 Clause 6.1.1 Planning General

ISO 27001 Clause 6.1.2 Information Security Risk Assessment

ISO 27001 Clause 6.1.3 Information Security Risk Treatment

ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them

ISO 27001 Clause 6.3 Planning Of Changes

ISO 27001 Clause 7.1 Resources

ISO 27001:2022 Clause 7.2 Competence

ISO 27001 Clause 7.3 Awareness

ISO 27001 Clause 7.4 Communication

ISO 27001 Clause 7.5.1 Documented Information

ISO 27001 Clause 7.5.2 Creating and Updating Documented Information

ISO 27001 Clause 7.5.3 Control of Documented Information

ISO 27001 Clause 8.1 Operational Planning and Control

ISO 27001 Clause 8.2 Information Security Risk Assessment

ISO 27001 Clause 8.3 Information Security Risk Treatment

ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation

ISO 27001 Clause 9.2 Internal Audit

ISO 27001 Clause 9.3 Management Review

ISO 27001 Clause 10.1 Continual Improvement

ISO 27001 Clause 10.2 Nonconformity and Corrective Action

ISO27001 Organisation Controls

ISO27001 Annex A 5.1 Policies for information security

ISO27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO27001 Annex A 5.3 Segregation of duties

ISO27001 Annex A 5.4 Management responsibilities

ISO27001 Annex A 5.5 Contact with authorities

ISO27001 Annex A 5.6 Contact with special interest groups

ISO27001 Annex A 5.7 Threat intelligence

ISO27001 Annex A 5.8 Information security in project management

ISO27001 Annex A 5.9 Inventory of information and other associated assets

ISO27001 Annex A 5.10 Acceptable use of information and other associated assets

ISO27001 Annex A 5.11 Return of assets

ISO27001 Annex A 5.12 Classification of information

ISO27001 Annex A 5.13 Labelling of information

ISO27001 Annex A Cotrol 5.14 Information transfer

ISO27001 Annex A 5.15 Access control

ISO27001 Annex A 5.16 Identity management

ISO27001 Annex A 5.17 Authentication information

ISO27001 Annex A 5.18 Access rights

ISO27001 Annex A 5.19 Information security in supplier relationships

ISO27001 Annex A 5.20 Addressing information security within supplier agreements

ISO27001 Annex A 5.21 Managing information security in the ICT supply chain

ISO27001 Annex A 5.22 Monitoring, review and change management of supplier services

ISO27001 Annex A 5.23 Information security for use of cloud services

ISO27001 Annex A 5.24 Information security incident management planning and preparation

ISO27001 Annex A 5.25 Assessment and decision on information security events

ISO27001 Annex A 5.26 Response to information security incidents

ISO27001 Annex A 5.27 Learning from information security incidents

ISO27001 Annex A 5.28 Collection of evidence

ISO27001 Annex A 5.29 Information security during disruption

ISO 27001 Annex A Cotrol 5.30 ICT readiness for business continuity

ISO27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO27001 Annex A 5.32 Intellectual property rights

ISO27001 Annex A 5.33 Protection of records

ISO27001 Annex A 5.34 Privacy and protection of PII

ISO27001 Annex A 5.35 Independent review of information security

ISO27001 Annex A 5.36 Compliance with policies and standards for information security

ISO27001 Annex A 5.37 Documented operating procedures

ISO27001 People Controls

ISO27001 Annex A 6.1 Screening

ISO27001 Annex A 6.2 Terms and conditions of employment

ISO27001 Annex A 6.3 Information security awareness, education and training

ISO27001 Annex A 6.4 Disciplinary process

ISO27001 Annex A 6.5 Responsibilities after termination or change of employment

ISO27001 Annex A 6.6 Confidentiality or non-disclosure agreements

ISO27001 Annex A 6.7 Remote working

ISO27001 Annex A 6.8 Information security event reporting

ISO27001 Physical Controls

ISO27001 Annex A 7.1 Physical security perimeter

ISO27001 Annex A 7.2 Physical entry controls

ISO27001 Annex A 7.3 Securing offices, rooms and facilities

ISO27001 Annex A 7.4 Physical security monitoring

ISO27001 Annex A 7.5 Protecting against physical and environmental threats

ISO27001 Annex A 7.6 Working in secure areas

ISO27001 Annex A 7.7 Clear desk and clear screen

ISO27001 Annex A 7.8 Equipment siting and protection

ISO27001 Annex A 7.9 Security of assets off-premises

ISO27001 Annex A 7.10 Storage media

ISO27001 Annex A 7.11 Supporting Utilities

ISO27001 Annex A 7.12 Cabling Security

ISO27001 Annex A 7.13 Equipment Maintenance

ISO27001 Annex A 7.14 Secure Disposal or Re-Use of Equipment

ISO27001 Technical Controls

ISO27001 Annex A 8.1 User Endpoint Devices

ISO27001 Annex A 8.2 Privileged Access Rights

ISO27001 Annex A 8.3 Information Access Restriction

ISO27001 Annex A 8.4 Access To Source Code

ISO27001 Annex A 8.5 Secure Authentication

ISO27001 Annex A 8.6 Capacity Management

ISO27001 Annex A 8.7 Protection Against Malware

ISO27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO27001 Annex A 8.9 Configuration Management 

ISO27001 Annex A 8.10 Information Deletion

ISO27001 Annex A 8.11 Data Masking

ISO27001 Annex A 8.12 Data Leakage Prevention

ISO27001 Annex A 8.13 Information Backup

ISO27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO27001 Annex A 8.15 Logging

ISO27001 Annex A 8.16 Monitoring Activities

ISO27001 Annex A 8.17 Clock Synchronisation

ISO27001 Annex A 8.18 Use of Privileged Utility Programs

ISO27001 Annex A 8.19 Installation of Software on Operational Systems

ISO27001 Annex A 8.20 Network Security

ISO27001 Annex A 8.21 Security of Network Services

ISO27001 Annex A 8.22 Segregation of Networks

ISO27001 Annex A 8.23 Web Filtering

ISO27001 Annex A 8.24 Use of Cryptography

ISO27001 Annex A 8.25 Secure Development Life Cycle

ISO27001 Annex A 8.26 Application Security Requirements

ISO27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO27001 Annex A 8.28 Secure Coding

ISO27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO27001 Annex A 8.30 Outsourced Development

ISO27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO27001 Annex A 8.32 Change Management

ISO27001 Annex A 8.33 Test Information

ISO27001 Annex A 8.34 Protection of information systems during audit testing

ISO 27001 Jumpstart Kit
ISO 27001 Certification Kit
ISO 27001 Consultant Toolkit

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 5.7 Threat Intelligence

ISO 27001 Annex A 5.7 Threat Intelligence

Last updated Aug 31, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 Threat Intelligence

Threat Intelligence is a new control is ISO 27001:2022 and is about understanding and managing the threats to your information security. Threats to the confidentiality, integrity and availability of data.

It can be confusing when you first come to this control but I will show you what is required and some simple, practical steps you can take to implement it.

ISO 27001 Threat Intelligence is the identification and management of information security threats.

In ISO 27001 this is known as ISO27001:2022 Annex A 5.7 Threat Intelligence . It is one of the ISO 27001 Annex A controls.

Key Takeaways

  • Sources of threat intelligence information are readily available and many are free
  • Management of threats is done by risk management

Table of Contents

What is ISO 27001 Annex A 5.7 Threat Intelligence?

ISO 27001 Annex A 5.7 Threat Intelligence is an ISO 27001 control that requires an organisation to collect and analyse information relating to information security threats and use that information take mitigation action.

Threat intelligence is used to prevent, detect or respond to threats. You can produce your own threat intelligence but as a rule you will make use of threat intelligence produced by others. It is often provided by independent providers and advisors which can include government sources and more than likely products and services will spring up around this new control to offer you it as a service, at a cost of course.

ISO 27001 Annex A 5.7 Purpose

ISO 27001 Annex A 5.7 is preventive, detective and corrective control that ensure you provide awareness of the organisations threat environment so that the appropriate mitigation actions can be taken.

Definition

The ISO 27001 standard defines ISO 27001 Threat Intelligence: Annex A 5.7 as:

Information relating to information security threats should be collected and analysed to produce threat intelligence.

ISO 27001:2022 Annex A 5.7 Threat Intelligence

Why is ISO 27001 Threat Intelligence important?

The purpose of this control is to provide awareness of the organisation’s threat environment so that the appropriate mitigation actions can be taken.

Taking collective knowledge of threats can lead to a collective response and that response can be based on collective best practice. If we share information we reduce the risk and impact of the emerging threats that are only ever going to increase. We cannot protect against what we do not know. As we start to know more we can increase our protection making for a safer, more secure working environment and protecting vital customer and employee data.

ISO 27001 Toolkit
Get the ISO 27001 Certification Kit >

Implementation Guide

You are going to have to ensure that

  • objectives for threat intelligence production are established
  • internal and external sources of information are identified, selected and vetted where necessary and appropriate
  • information is collected from selected sources
  • information is then prepared for analysis for example by formatting or translating it
  • information is analysed to understand how it relates to you
  • communication and sharing of information is done to relevant in people in a way they will understand it

When implementing threat intelligence you are analysing and using information and including it in your risk management process. You are using it as input to inform how you implement and configure technical controls. You are adapting information security tests and techniques based on it.

Threat intelligence is used to inform decisions and actions to precent these threats causing harm to the organisation and reduce the impact of such threats.

There are 3 layers to threat intelligence.

The 3 layers of threat intelligence

  1. Strategic Threat Intelligence: high level information about the threat landscape
  2. Tactical Threat Intelligence: intelligence on tools, techniques and attack methodologies
  3. Operational Threat Intelligence: intelligence on specific attacks and indicators

Threat intelligence objectives

When you write your threat intelligence process it will have objectives. Based on best practice real world experience the following are the objectives of the ISO 27001 Threat Intelligence process:

1. Identify Existing and Emerging Threats

Through the use of internal and external data sources existing and emerging threats will be identified. In addition, the use of audit processes such as internal audit, external audit and penetration testing will be used. 

2. Assess Risk and Impact

Threats will be analysed for relevance to the organisation. Where a relevant threat is identified it will be added to the risk register and managed via the risk management process.

3. Communication

Threat Intelligence will be shared with the Management Review Team as part of the regular structured agenda.

4. Improve the Information Security Management System (ISMS)

Threat Intelligence that identifies emerging and existing threats will be managed via the Risk Management Process and any changes or improvements will be managed via the Continual Improvement Process.

Examples of threat intelligence sources

There are free sources of threat intelligence information that you can use. These can be internal or external so let us take a look at examples of threat intelligence sources you can use:

Internal Sources of Threat Intelligence

The controls and processes that you operate will provide valuable threat intelligence information that you will identify through trend analysis and incident management. The examples include:

  • Anti-Virus and Malware Protection Reports
  • Information Security Incident Reports
  • Phishing Reports
  • Internal Audit Reports

External Sources of Threat Intelligence

External sources of threat intelligence are readily available from vendors and government websites. The following are examples:

The threat intelligence reporting process

When you collect the threat intelligence information you are going to report on it so you can act on it. The process for threat intelligence reporting, based on practical real world experience would be:

  • A Threat Intelligence Report is created.
  • The Threat Intelligence Report is shared with The Management Review Team.
  • The Threat Intelligence Report is shared at least at the Management Review Team Meeting and if a significant threat is identified.
  • Threat Intelligence Reports are kept for at least 12 months.
  • Progress of Threat Mitigation is reported via the Risk Management Process and Continual Improvement Process as relevant.

The contents of the threat intelligence report

The Threat Intelligence Report gives a high-level threat snapshot summary. When creating the threat intelligence report it would include:

  • Threat Summary: A summary in simple of terms of the threat that can be understood by someone with no technical knowledge.
  • Source: The source of the threat. Either a link or a description in words of how the threat was identified.
  • Threat Level: Using a simple, easy to understand rating of High / Medium and Low the initial rating is a subjective rating on the potential risk and impact to the organisation. The objective rating will be derived as part of the risk management process.

For each threat in the summary table a more detailed report is provided that includes recommendations on next steps, whether it is added to the risk register and if so a risk reference.

How to create a threat intelligence process and report in under 10 minutes

In this video tutorial I show you How to create a Threat Intelligence Process in Under 10 Minutes

If you are wanting to do this yourself I show you How To Create an ISO 27001 Threat Intelligence Process and Report in this step-by-step implementation guide.

ISO27001 Treat Intelligence

Watch the Tutorial

In the video ISO 27001 Annex A 5.7 Threat Intelligence Explained show you how to implement it and how to pass the audit.

ISO 27001 Threat Intelligence Template

You can save months of effort with the ISO 27001 Toolkit that take 25 years of experience and distill it in a pack of prewritten best practice awesomeness.

If you don’ want of need the full ISO 27001 Toolkit then this is the ISO27001 Annex A 5.7 Threat Intelligence Templates. Both the threat intelligence process and the threat intelligence report.

ISO27001 5.7 Threat Intelligence Template

How to comply

To comply with ISO 27001 Annex A 5.7 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

  • Establish and document objectives for threat intelligence production
  • Identify, vet, list and document internal and external sources of information
  • Collect the information
  • Prepare the information for analysis for example by formatting or translating it
  • Analyse information to understand how it relates to you
  • Communicate and share information to relevant people in a way they will understand it

How to pass the audit

To pass an audit of ISO 27001 Annex A 5.7 Threat Intelligence you are going to make sure that you have followed the steps above in how to comply.

What will an auditor check?

The audit is going to check a number of areas. Lets go through the main ones

1. That you are gathering threat intelligence and analysing it

What this means is that you need to show that you have a list of sources of threat intelligence information, have records of collecting and show reports where you have shared and communicated it.

2. That you have taken action as a result of threat intelligence

The process may be straightforward. You may have updated a system, changed a configuration, introduced or removed a tool, had an incident that was managed via the incident management process. What ever the course of action you will have records of action taken and audit trails.

3. That threat intelligence forms part of risk management and operations

Your risk management process will factor in and evidence threat intelligence. Your risk register may take account of threat intelligence and emerging or realised risks.

Top 3 Mistakes People Make

In my experience, the top 3 Mistakes People Make For ISO 27001 Annex A 5.7 Threat Intelligence are

1. You are not collecting or using threat intelligence

This is a new control so one that is easy to overlook. Make sure to follow the control requirements and be able to evidence its operation.

2. You rely only on internal threat intelligence

Internal threat intelligence is easy to collect but does not provide for the wider picture. Be sure to include external sources of threat intelligence data.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

ISO 27001 Annex A 5.7 FAQ

Is threat intelligence a new ISO 27001 control?

Yes threat intelligence is a new ISO 27001 control and a new requirement for ISO 27001 certification

What are the 3 layers of threat intelligence?

The 3 layers of threat intelligence are:
Strategic Threat Intelligence: high level information about the threat landscape
Tactical Threat Intelligence: intelligence on tools, techniques and attack methodologies
Operational Threat Intelligence: intelligence on specific attacks and indicators

When was threat intelligence added to ISO 27001?

Threat intelligence was added as an ISO 27001 control in 2022.

What clause of ISO 27001 covers threat intelligence?

ISO 27001 Annex A 5.7 covers threat intelligence.

What clause of ISO 27002 covers threat intelligence?

ISO 27002 clause 5.7 covers threat intelligence.

What is the difference between ISO 27001 Annex A 5.7 and ISO 27002 clause 5.7?

Nothing, they are the same thing. ISO 27002 is a standard in its own right and is included as an Annex to the ISO 27001 standard. As such it is often referred to as Annex A but it is a different name for the same thing.

How long will ISO 27001 Annex A 5.7 threat intelligence take me?

ISO 27001 Annex A 5.7 will take approximately 1 day to setup if you are starting from nothing and doing it yourself.

How much will ISO 27001 Annex A 5.7 threat intelligence cost me?

It can be free. It depends if you want to subscribe to the new services that have sprung up to offer this information at a cost.

ISO 27001 Annex A 7.5 Protecting Against Physical and Environmental Threats

ISO 27001 Annex A 8.15 Logging

ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation

ISO 27001 Controls and Attribute Values

Control typeInformation
security properties		Cybersecurity
concepts		Operational
capabilities		Security domains
PreventiveConfidentialityIdentifyThreat and
vulnerability
management		Defence
CorrectiveIntegrityDetectResilience
DetectiveAvailabilityRespond
Tags: Availability Confidentiality Corrective Defence Detect Detective Identify Integrity Preventive Resilience Respond Threat and Vulnerability Management
Stuart Barker, ISO 27001 expert

Stuart Barker
ISO 27001 Expert and Thought Leader

ISO 27001 Toolkit Business Edition
Stuart Barker, ISO 27001 expert

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.