Table of Contents
- ISO27002: 2022 Clause 5.7 Threat Intelligence – New Control
- What is ISO27001 Annex A 5.7 Threat Intelligence?
- ISO27001 Annex A 5.7 Definition
- ISO27001 Annex A 5.7 Threat Intelligence Implementation Guide
- The 3 layers of threat intelligence
- ISO27001 Annex A 5.7 Templates
- How to comply with ISO27001 Annex A 5.7 Threat Intelligence
- How to pass an audit of ISO27001 Annex A 5.7 Threat Intelligence
- What will an audit check?
- Top 3 ISO27001 A 5.7 Threat Intelligence Mistakes People Make
- Why is ISO27001 Annex A 5.7 Important?
- ISO27001 Annex A 5.7 Threat Intelligence FAQ
- Matrix of controls and attribute values
- See Also
- Reference
ISO27002: 2022 Clause 5.7 Threat Intelligence – New Control
In this article I lay bare the new ISO27001 control – ISO27001 Annex A 5.7 / ISO27002: 2022 Clause 5.7 Threat Intelligence.
A beginners guide, exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is ISO27001 Annex 5.7
What is ISO27001 Annex A 5.7 Threat Intelligence?
ISO27001 Annex A 5.7 Threat Intelligence is an ISO27002: 2022 control that requires an organisation to collect and analyse information relating to information security threats and use that information take mitigation action.
Threat intelligence is used to prevent, detect or respond to threats. You can produce your own threat intelligence but as a rule you will make use of threat intelligence produced by others. It is often provided by independent providers and advisors which can include government sources and more than likely products and services will spring up around this new control to offer you it as a service, at a cost of course.
ISO27001 Annex A 5.7 Definition
The ISO27001 standard defines ISO27001 Annex A 5.7 Threat Intelligence as:
Information relating to information security threats should be collected and analysed to produce threat intelligence.
ISO27001 Annex A 5.7 Threat Intelligence
ISO27001 Annex A 5.7 Threat Intelligence Implementation Guide
You are going to have to ensure that:
- objectives for threat intelligence production are established
- internal and external sources of information are identified, selected and vetted where necessary and appropriate
- information is collected from selected sources
- information is then prepared for analysis for example by formatting or translating it
- information is analysed to understand how it relates to you
- communication and sharing of information is done to relevant in people in a way they will understand it
When implementing threat intelligence you are analysing and using information and including it in your risk management process. You are using it as input to inform how you implement and configure technical controls. You are adapting information security tests and techniques based on it.
Threat intelligence is used to inform decisions and actions to precent these threats causing harm to the organisation and reduce the impact of such threats.
There are 3 layers to threat intelligence.
The 3 layers of threat intelligence
- Strategic Threat Intelligence: high level information about the threat landscape
- Tactical Threat Intelligence: intelligence on tools, techniques and attack methodologies
- Operational Threat Intelligence: intelligence on specific attacks and indicators
ISO27001 Annex A 5.7 Templates
You can save months of effort with these templates that take 25 years of experience and distill it in a pack of prewritten best practice awesomeness.
How to comply with ISO27001 Annex A 5.7 Threat Intelligence
To comply with ISO27001 Annex A 5.7 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:
- Establish and document objectives for threat intelligence production
- Identify, vet, list and document internal and external sources of information
- Collect the information
- Prepare the information for analysis for example by formatting or translating it
- Analyse information to understand how it relates to you
- Communicate and share information to relevant people in a way they will understand it
How to pass an audit of ISO27001 Annex A 5.7 Threat Intelligence
To pass an audit of ISO27001 Annex A 5.7 Threat Intelligence you are going to make sure that you have followed the steps above in how to comply.
You are going to do that by first conducting an internal audit, following the How to Conduct an ISO27001 Internal Audit Guide.
What will an audit check?
The audit is going to check a number of areas. Lets go through the main ones
#1 That you are gathering threat intelligence and analysing it
What this means is that you need to show that you have a list of sources of threat intelligence information, have records of collecting and show reports where you have shared and communicated it.
#2 That you have taken action as a result of threat intelligence
The process may be straightforward. You may have updated a system, changed a configuration, introduced or removed a tool, had an incident that was managed via the incident management process. What ever the course of action you will have records of action taken and audit trails.
#3 That threat intelligence forms part of risk management and operations
Your risk management process will factor in and evidence threat intelligence. Your risk register may take account of threat intelligence and emerging or realised risks.
Top 3 ISO27001 A 5.7 Threat Intelligence Mistakes People Make
The top 3 Mistakes People Make For ISO27001 Annex A 5.7 Threat Intelligence are
#1 You are not collecting or using threat intelligence
This is a new control so one that is easy to overlook. Make sure to follow the control requirements and be able to evidence its operation.
#2 You rely only on internal threat intelligence
Internal threat intelligence is easy to collect but does not provide for the wider picture. Be sure to include external sources of threat intelligence data.
#3 Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Why is ISO27001 Annex A 5.7 Important?
The purpose of this control is to provide awareness of the organisation’s threat environment so that the appropriate mitigation actions can be taken.
Taking collective knowledge of threats can lead to a collective response and that response can be based on collective best practice. If we share information we reduce the risk and impact of the emerging threats that are only ever going to increase. We cannot protect against what we do not know. As we start to know more we can increase our protection making for a safer, more secure working environment and protecting vital customer and employee data.
ISO27001 Annex A 5.7 Threat Intelligence FAQ
Yes threat intelligence is a new ISO27001 control and a new requirement for ISO27001 certification?
The 3 layers of threat intelligence are:
Strategic Threat Intelligence: high level information about the threat landscape
Tactical Threat Intelligence: intelligence on tools, techniques and attack methodologies
Operational Threat Intelligence: intelligence on specific attacks and indicators
Threat intelligence was added as an ISO27001 control in 2022.
ISO27001: 2022 annex A 5.7 covers threat intelligence.
ISO27002: 2022 clause 5.7 covers threat intelligence.
Nothing, they are the same thing. ISO27002 is a standard in its own right and is included as an Annex to the ISO27001 standard. As such it is often referred to as Annex A but it is a different name for the same thing.
ISO27001 Annex A 5.7 will take approximately 1 day to setup if you are starting from nothing and doing it yourself.
It can be free. It depends if you want to subscribe to the new services that have sprung up to offer this information at a cost.
Matrix of controls and attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| #Preventive #Corrective #Detective | #Confidentiality #Integrity #Availability | #Identify #Detect #Respond | #Threat_and_ vulnerability_ management | #Defence #Resilience |
See Also
- Guaranteed ISO 27001 Certification up to 10x Faster and 30x Cheaper
- The Ultimate ISO 27001 TOOLKIT so you can do it yourself
- ISO 27001 Exposed: The facts you must know (Not knowing these could cost you $10,000s!)
- 25 Things You Must Know Before Going for ISO 27001 Certification (Number 3 will blow your mind!)
- The Ultimate Reference Guide to ISO 27001 Controls
Reference
ISO/IEC 27001 Information Security Management
FREE 30 minute ISO27001 strategy session.
Claim your 100% FREE no-obligation 30 minute strategy session call (£1000 value). This is strictly for small businesses who are hungry to get ISO27001 certified up to 10x faster and 30x cheaper.
