ISO 27001 Annex A 5.7 Threat Intelligence

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 5.7 Threat Intelligence

ISO 27001 Threat Intelligence

I am going to show you what ISO 27001 Annex A 5.7 Threat Intelligence is, what’s new, give you ISO27001 Threat Intelligence templates, an ISO 27001 toolkit, show you examples, do a walkthrough and show you how to implement it.

I am Stuart Barker the ISO 27001 Ninja and using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I show you exactly what changed in the ISO 27001:2022 update and exactly what you need to do for ISO 27001 certification.

What the ISO 27001 Annex A 5.7 Tutorial

Watch How to implement ISO 27001 Annex A 5.7 Threat Intelligence 

What is ISO 27001 Annex A 5.7 Threat Intelligence?

ISO 27001 Annex A 5.7 Threat Intelligence is an ISO 27001 control that requires an organisation to collect and analyse information relating to information security threats and use that information take mitigation action.

Threat intelligence is used to prevent, detect or respond to threats. You can produce your own threat intelligence but as a rule you will make use of threat intelligence produced by others. It is often provided by independent providers and advisors which can include government sources and more than likely products and services will spring up around this new control to offer you it as a service, at a cost of course.

ISO 27001 Annex A 5.7 Purpose

ISO 27001 Annex A 5.7 is preventive, detective and corrective control that ensure you provide awareness of the organisations threat environment so that the appropriate mitigation actions can be taken.

ISO 27001 Annex A 5.7 Definition

The ISO 27001 standard defines ISO 27001 Annex A 5.7 as:

Information relating to information security threats should be collected and analysed to produce threat intelligence.

ISO 27001:2022 Annex A 5.7 Threat Intelligence

DO IT YOURSELF ISO27001

Stop Spanking £10,000’s on Consultants and Platforms

ISO 27001 Toolkit Business Edition

ISO 27001 Annex A 5.7 Threat Intelligence Implementation Guide

You are going to have to ensure that

  • objectives for threat intelligence production are established
  • internal and external sources of information are identified, selected and vetted where necessary and appropriate
  • information is collected from selected sources
  • information is then prepared for analysis for example by formatting or translating it
  • information is analysed to understand how it relates to you
  • communication and sharing of information is done to relevant in people in a way they will understand it

When implementing threat intelligence you are analysing and using information and including it in your risk management process. You are using it as input to inform how you implement and configure technical controls. You are adapting information security tests and techniques based on it.

Threat intelligence is used to inform decisions and actions to precent these threats causing harm to the organisation and reduce the impact of such threats.

There are 3 layers to threat intelligence.

The 3 layers of threat intelligence

  1. Strategic Threat Intelligence: high level information about the threat landscape
  2. Tactical Threat Intelligence: intelligence on tools, techniques and attack methodologies
  3. Operational Threat Intelligence: intelligence on specific attacks and indicators

How to create a Threat Intelligence Process in Under 10 Minutes

ISO 27001 Templates

You can save months of effort with the ISO 27001 Toolkit that take 25 years of experience and distill it in a pack of prewritten best practice awesomeness.

If you don’ want of need the full ISO27001 Toolkit then this is the ISO27001 Annex A 5.7 Threat Intelligence Templates. Both the threat intelligence process and the threat intelligence report.

ISO27001 5.7 Threat Intelligence Template

How to comply

To comply with ISO 27001 Annex A 5.7 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

  • Establish and document objectives for threat intelligence production
  • Identify, vet, list and document internal and external sources of information
  • Collect the information
  • Prepare the information for analysis for example by formatting or translating it
  • Analyse information to understand how it relates to you
  • Communicate and share information to relevant people in a way they will understand it

How to pass an audit

To pass an audit of ISO 27001 Annex A 5.7 Threat Intelligence you are going to make sure that you have followed the steps above in how to comply.

You are going to do that by first conducting an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.

What will an auditor check?

The audit is going to check a number of areas. Lets go through the main ones

1. That you are gathering threat intelligence and analysing it

What this means is that you need to show that you have a list of sources of threat intelligence information, have records of collecting and show reports where you have shared and communicated it.

2. That you have taken action as a result of threat intelligence

The process may be straightforward. You may have updated a system, changed a configuration, introduced or removed a tool, had an incident that was managed via the incident management process. What ever the course of action you will have records of action taken and audit trails.

3. That threat intelligence forms part of risk management and operations

Your risk management process will factor in and evidence threat intelligence. Your risk register may take account of threat intelligence and emerging or realised risks.

Top 3 Mistakes People Make

In my experience, the top 3 Mistakes People Make For ISO 27001 Annex A 5.7 Threat Intelligence are

1. You are not collecting or using threat intelligence

This is a new control so one that is easy to overlook. Make sure to follow the control requirements and be able to evidence its operation.

2. You rely only on internal threat intelligence

Internal threat intelligence is easy to collect but does not provide for the wider picture. Be sure to include external sources of threat intelligence data.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Stuart - High Table - ISO27001 Ninja - 3

Why is ISO 27001 Annex A 5.7 Threat Intelligence important?

The purpose of this control is to provide awareness of the organisation’s threat environment so that the appropriate mitigation actions can be taken.

Taking collective knowledge of threats can lead to a collective response and that response can be based on collective best practice. If we share information we reduce the risk and impact of the emerging threats that are only ever going to increase. We cannot protect against what we do not know. As we start to know more we can increase our protection making for a safer, more secure working environment and protecting vital customer and employee data.

ISO 27001 Annex A 5.7 FAQ

Is threat intelligence a new ISO 27001 control?

Yes threat intelligence is a new ISO 27001 control and a new requirement for ISO 27001 certification

What are the 3 layers of threat intelligence?

The 3 layers of threat intelligence are:
Strategic Threat Intelligence: high level information about the threat landscape
Tactical Threat Intelligence: intelligence on tools, techniques and attack methodologies
Operational Threat Intelligence: intelligence on specific attacks and indicators

When was threat intelligence added to ISO 27001?

Threat intelligence was added as an ISO 27001 control in 2022.

What clause of ISO 27001 covers threat intelligence?

ISO 27001 Annex A 5.7 covers threat intelligence.

What clause of ISO 27002 covers threat intelligence?

ISO 27002 clause 5.7 covers threat intelligence.

What is the difference between ISO 27001 Annex A 5.7 and ISO 27002 clause 5.7?

Nothing, they are the same thing. ISO 27002 is a standard in its own right and is included as an Annex to the ISO 27001 standard. As such it is often referred to as Annex A but it is a different name for the same thing.

How long will ISO 27001 Annex A 5.7 threat intelligence take me?

ISO 27001 Annex A 5.7 will take approximately 1 day to setup if you are starting from nothing and doing it yourself.

How much will ISO 27001 Annex A 5.7 threat intelligence cost me?

It can be free. It depends if you want to subscribe to the new services that have sprung up to offer this information at a cost.

Is there an online ISO 27001?

Yes, there is an online ISO 27001 at ISO 27001 Online.

ISO 27001 Controls and Attribute Values

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveConfidentialityIdentify Threat and
vulnerability
management
Defence
CorrectiveIntegrityDetectResilience
DetectiveAvailabilityRespond

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing