ISO27001 Annex A 5.7 Threat Intelligence Beginner’s Guide

Share with your network

ISO27002: 2022 Clause 5.7 Threat Intelligence – New Control

In this article I lay bare the new ISO27001 control – ISO27001 Annex A 5.7 / ISO27002: 2022 Clause 5.7 Threat Intelligence.

A beginners guide, exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is ISO27001 Annex 5.7

What is ISO27001 Annex A 5.7 Threat Intelligence?

ISO27001 Annex A 5.7 Threat Intelligence is an ISO27002: 2022 control that requires an organisation to collect and analyse information relating to information security threats and use that information take mitigation action.

Threat intelligence is used to prevent, detect or respond to threats. You can produce your own threat intelligence but as a rule you will make use of threat intelligence produced by others. It is often provided by independent providers and advisors which can include government sources and more than likely products and services will spring up around this new control to offer you it as a service, at a cost of course.

ISO27001 Annex A 5.7 Definition

The ISO27001 standard defines ISO27001 Annex A 5.7 Threat Intelligence as:

Information relating to information security threats should be collected and analysed to produce threat intelligence.

ISO27001 Annex A 5.7 Threat Intelligence

ISO27001 Annex A 5.7 Threat Intelligence Implementation Guide

You are going to have to ensure that:

  • objectives for threat intelligence production are established
  • internal and external sources of information are identified, selected and vetted where necessary and appropriate
  • information is collected from selected sources
  • information is then prepared for analysis for example by formatting or translating it
  • information is analysed to understand how it relates to you
  • communication and sharing of information is done to relevant in people in a way they will understand it

When implementing threat intelligence you are analysing and using information and including it in your risk management process. You are using it as input to inform how you implement and configure technical controls. You are adapting information security tests and techniques based on it.

Threat intelligence is used to inform decisions and actions to precent these threats causing harm to the organisation and reduce the impact of such threats.

There are 3 layers to threat intelligence.

The 3 layers of threat intelligence

  1. Strategic Threat Intelligence: high level information about the threat landscape
  2. Tactical Threat Intelligence: intelligence on tools, techniques and attack methodologies
  3. Operational Threat Intelligence: intelligence on specific attacks and indicators

ISO27001 Annex A 5.7 Templates

You can save months of effort with these templates that take 25 years of experience and distill it in a pack of prewritten best practice awesomeness.

How to comply with ISO27001 Annex A 5.7 Threat Intelligence

To comply with ISO27001 Annex A 5.7 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

  • Establish and document objectives for threat intelligence production
  • Identify, vet, list and document internal and external sources of information
  • Collect the information
  • Prepare the information for analysis for example by formatting or translating it
  • Analyse information to understand how it relates to you
  • Communicate and share information to relevant people in a way they will understand it

How to pass an audit of ISO27001 Annex A 5.7 Threat Intelligence

To pass an audit of ISO27001 Annex A 5.7 Threat Intelligence you are going to make sure that you have followed the steps above in how to comply.

You are going to do that by first conducting an internal audit, following the How to Conduct an ISO27001 Internal Audit Guide.

What will an audit check?

The audit is going to check a number of areas. Lets go through the main ones

#1 That you are gathering threat intelligence and analysing it

What this means is that you need to show that you have a list of sources of threat intelligence information, have records of collecting and show reports where you have shared and communicated it.

#2 That you have taken action as a result of threat intelligence

The process may be straightforward. You may have updated a system, changed a configuration, introduced or removed a tool, had an incident that was managed via the incident management process. What ever the course of action you will have records of action taken and audit trails.

#3 That threat intelligence forms part of risk management and operations

Your risk management process will factor in and evidence threat intelligence. Your risk register may take account of threat intelligence and emerging or realised risks.

Top 3 ISO27001 A 5.7 Threat Intelligence Mistakes People Make

The top 3 Mistakes People Make For ISO27001 Annex A 5.7 Threat Intelligence are

#1 You are not collecting or using threat intelligence

This is a new control so one that is easy to overlook. Make sure to follow the control requirements and be able to evidence its operation.

#2 You rely only on internal threat intelligence

Internal threat intelligence is easy to collect but does not provide for the wider picture. Be sure to include external sources of threat intelligence data.

#3 Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Why is ISO27001 Annex A 5.7 Important?

The purpose of this control is to provide awareness of the organisation’s threat environment so that the appropriate mitigation actions can be taken.

Taking collective knowledge of threats can lead to a collective response and that response can be based on collective best practice. If we share information we reduce the risk and impact of the emerging threats that are only ever going to increase. We cannot protect against what we do not know. As we start to know more we can increase our protection making for a safer, more secure working environment and protecting vital customer and employee data.

ISO27001 Annex A 5.7 Threat Intelligence FAQ

Is threat intelligence a new ISO27001 control?

Yes threat intelligence is a new ISO27001 control and a new requirement for ISO27001 certification?

What are the 3 layers of threat intelligence?

The 3 layers of threat intelligence are:
Strategic Threat Intelligence: high level information about the threat landscape
Tactical Threat Intelligence: intelligence on tools, techniques and attack methodologies
Operational Threat Intelligence: intelligence on specific attacks and indicators

When was threat intelligence added to ISO27001?

Threat intelligence was added as an ISO27001 control in 2022.

What clause of ISO27001 covers threat intelligence?

ISO27001: 2022 annex A 5.7 covers threat intelligence.

What clause of ISO27002 covers threat intelligence?

ISO27002: 2022 clause 5.7 covers threat intelligence.

What is the difference between ISO27001 annex A 5.7 and ISO27002 clause 5.7?

Nothing, they are the same thing. ISO27002 is a standard in its own right and is included as an Annex to the ISO27001 standard. As such it is often referred to as Annex A but it is a different name for the same thing.

How long will ISO27001 Annex A 5.7 threat intelligence take me?

ISO27001 Annex A 5.7 will take approximately 1 day to setup if you are starting from nothing and doing it yourself.

How much will ISO27001 Annex A 5.7 threat intelligence cost me?

It can be free. It depends if you want to subscribe to the new services that have sprung up to offer this information at a cost.

Matrix of controls and attribute values

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
#Preventive
#Corrective
#Detective
#Confidentiality
#Integrity
#Availability
#Identify
#Detect
#Respond
#Threat_and_
vulnerability_
management

#Defence
#Resilience

See Also

Reference

ISO/IEC 27001 Information Security Management

Share with your network
ISO 27001 Templates Toolkit Business Edition Black
ISO27001 Policy Templates Pack Green
Free ISO27001 Strategy Call
Shopping Cart