Table of Contents
- ISO 27001 Threat Intelligence
- What is ISO 27001 Annex A 5.7 Threat Intelligence?
- Why is ISO 27001 Annex A 5.7 Threat Intelligence important?
- Implementation Guide
- How to create a Threat Intelligence Process in Under 10 Minutes
- Watch the Tutorial
- ISO 27001 Templates
- How to comply
- How to pass an audit
- Top 3 Mistakes People Make
- ISO 27001 Annex A 5.7 FAQ
- ISO 27001 Controls and Attribute Values
ISO 27001 Threat Intelligence
I am going to show you what ISO 27001 Annex A 5.7 Threat Intelligence is, what’s new, give you ISO27001 Threat Intelligence templates, an ISO 27001 toolkit, show you examples, do a walkthrough and show you how to implement it.
I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.
With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.
What is ISO 27001 Annex A 5.7 Threat Intelligence?
ISO 27001 Annex A 5.7 Threat Intelligence is an ISO 27001 control that requires an organisation to collect and analyse information relating to information security threats and use that information take mitigation action.
Threat intelligence is used to prevent, detect or respond to threats. You can produce your own threat intelligence but as a rule you will make use of threat intelligence produced by others. It is often provided by independent providers and advisors which can include government sources and more than likely products and services will spring up around this new control to offer you it as a service, at a cost of course.
ISO 27001 Annex A 5.7 Purpose
ISO 27001 Annex A 5.7 is preventive, detective and corrective control that ensure you provide awareness of the organisations threat environment so that the appropriate mitigation actions can be taken.
Definition
The ISO 27001 standard defines ISO 27001 Annex A 5.7 as:
Information relating to information security threats should be collected and analysed to produce threat intelligence.
ISO 27001:2022 Annex A 5.7 Threat Intelligence
Why is ISO 27001 Annex A 5.7 Threat Intelligence important?
The purpose of this control is to provide awareness of the organisation’s threat environment so that the appropriate mitigation actions can be taken.
Taking collective knowledge of threats can lead to a collective response and that response can be based on collective best practice. If we share information we reduce the risk and impact of the emerging threats that are only ever going to increase. We cannot protect against what we do not know. As we start to know more we can increase our protection making for a safer, more secure working environment and protecting vital customer and employee data.
Implementation Guide
You are going to have to ensure that
- objectives for threat intelligence production are established
- internal and external sources of information are identified, selected and vetted where necessary and appropriate
- information is collected from selected sources
- information is then prepared for analysis for example by formatting or translating it
- information is analysed to understand how it relates to you
- communication and sharing of information is done to relevant in people in a way they will understand it
When implementing threat intelligence you are analysing and using information and including it in your risk management process. You are using it as input to inform how you implement and configure technical controls. You are adapting information security tests and techniques based on it.
Threat intelligence is used to inform decisions and actions to precent these threats causing harm to the organisation and reduce the impact of such threats.
There are 3 layers to threat intelligence.
The 3 layers of threat intelligence
- Strategic Threat Intelligence: high level information about the threat landscape
- Tactical Threat Intelligence: intelligence on tools, techniques and attack methodologies
- Operational Threat Intelligence: intelligence on specific attacks and indicators
How to create a Threat Intelligence Process in Under 10 Minutes
Watch the Tutorial
Watch How to implement ISO 27001 Annex A 5.7 Threat Intelligence
ISO 27001 Templates
You can save months of effort with the ISO 27001 Toolkit that take 25 years of experience and distill it in a pack of prewritten best practice awesomeness.
If you don’ want of need the full ISO 27001 Toolkit then this is the ISO27001 Annex A 5.7 Threat Intelligence Templates. Both the threat intelligence process and the threat intelligence report.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
How to comply
To comply with ISO 27001 Annex A 5.7 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:
- Establish and document objectives for threat intelligence production
- Identify, vet, list and document internal and external sources of information
- Collect the information
- Prepare the information for analysis for example by formatting or translating it
- Analyse information to understand how it relates to you
- Communicate and share information to relevant people in a way they will understand it
How to pass an audit
To pass an audit of ISO 27001 Annex A 5.7 Threat Intelligence you are going to make sure that you have followed the steps above in how to comply.
What will an auditor check?
The audit is going to check a number of areas. Lets go through the main ones
1. That you are gathering threat intelligence and analysing it
What this means is that you need to show that you have a list of sources of threat intelligence information, have records of collecting and show reports where you have shared and communicated it.
2. That you have taken action as a result of threat intelligence
The process may be straightforward. You may have updated a system, changed a configuration, introduced or removed a tool, had an incident that was managed via the incident management process. What ever the course of action you will have records of action taken and audit trails.
3. That threat intelligence forms part of risk management and operations
Your risk management process will factor in and evidence threat intelligence. Your risk register may take account of threat intelligence and emerging or realised risks.
Top 3 Mistakes People Make
In my experience, the top 3 Mistakes People Make For ISO 27001 Annex A 5.7 Threat Intelligence are
1. You are not collecting or using threat intelligence
This is a new control so one that is easy to overlook. Make sure to follow the control requirements and be able to evidence its operation.
2. You rely only on internal threat intelligence
Internal threat intelligence is easy to collect but does not provide for the wider picture. Be sure to include external sources of threat intelligence data.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
ISO 27001 Annex A 5.7 FAQ
Yes threat intelligence is a new ISO 27001 control and a new requirement for ISO 27001 certification
The 3 layers of threat intelligence are:
Strategic Threat Intelligence: high level information about the threat landscape
Tactical Threat Intelligence: intelligence on tools, techniques and attack methodologies
Operational Threat Intelligence: intelligence on specific attacks and indicators
Threat intelligence was added as an ISO 27001 control in 2022.
ISO 27001 Annex A 5.7 covers threat intelligence.
ISO 27002 clause 5.7 covers threat intelligence.
Nothing, they are the same thing. ISO 27002 is a standard in its own right and is included as an Annex to the ISO 27001 standard. As such it is often referred to as Annex A but it is a different name for the same thing.
ISO 27001 Annex A 5.7 will take approximately 1 day to setup if you are starting from nothing and doing it yourself.
It can be free. It depends if you want to subscribe to the new services that have sprung up to offer this information at a cost.
ISO 27001 Controls and Attribute Values
Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
---|---|---|---|---|
Preventive | Confidentiality | Identify | Threat and vulnerability management | Defence |
Corrective | Integrity | Detect | Resilience | |
Detective | Availability | Respond |