ISO 27001 Annex A 5.7 Threat Intelligence

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 5.7 Threat Intelligence

ISO 27001 Threat Intelligence

I am going to show you what ISO 27001 Annex A 5.7 Threat Intelligence is, what’s new, give you ISO27001 Threat Intelligence templates, an ISO 27001 toolkit, show you examples, do a walkthrough and show you how to implement it.

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

What is ISO 27001 Annex A 5.7 Threat Intelligence?

ISO 27001 Annex A 5.7 Threat Intelligence is an ISO 27001 control that requires an organisation to collect and analyse information relating to information security threats and use that information take mitigation action.

Threat intelligence is used to prevent, detect or respond to threats. You can produce your own threat intelligence but as a rule you will make use of threat intelligence produced by others. It is often provided by independent providers and advisors which can include government sources and more than likely products and services will spring up around this new control to offer you it as a service, at a cost of course.

ISO 27001 Annex A 5.7 Purpose

ISO 27001 Annex A 5.7 is preventive, detective and corrective control that ensure you provide awareness of the organisations threat environment so that the appropriate mitigation actions can be taken.

Definition

The ISO 27001 standard defines ISO 27001 Annex A 5.7 as:

Information relating to information security threats should be collected and analysed to produce threat intelligence.

ISO 27001:2022 Annex A 5.7 Threat Intelligence

Why is ISO 27001 Annex A 5.7 Threat Intelligence important?

The purpose of this control is to provide awareness of the organisation’s threat environment so that the appropriate mitigation actions can be taken.

Taking collective knowledge of threats can lead to a collective response and that response can be based on collective best practice. If we share information we reduce the risk and impact of the emerging threats that are only ever going to increase. We cannot protect against what we do not know. As we start to know more we can increase our protection making for a safer, more secure working environment and protecting vital customer and employee data.

Implementation Guide

You are going to have to ensure that

  • objectives for threat intelligence production are established
  • internal and external sources of information are identified, selected and vetted where necessary and appropriate
  • information is collected from selected sources
  • information is then prepared for analysis for example by formatting or translating it
  • information is analysed to understand how it relates to you
  • communication and sharing of information is done to relevant in people in a way they will understand it

When implementing threat intelligence you are analysing and using information and including it in your risk management process. You are using it as input to inform how you implement and configure technical controls. You are adapting information security tests and techniques based on it.

Threat intelligence is used to inform decisions and actions to precent these threats causing harm to the organisation and reduce the impact of such threats.

There are 3 layers to threat intelligence.

The 3 layers of threat intelligence

  1. Strategic Threat Intelligence: high level information about the threat landscape
  2. Tactical Threat Intelligence: intelligence on tools, techniques and attack methodologies
  3. Operational Threat Intelligence: intelligence on specific attacks and indicators

How to create a Threat Intelligence Process in Under 10 Minutes

Watch the Tutorial

Watch How to implement ISO 27001 Annex A 5.7 Threat Intelligence 

ISO 27001 Templates

You can save months of effort with the ISO 27001 Toolkit that take 25 years of experience and distill it in a pack of prewritten best practice awesomeness.

If you don’ want of need the full ISO 27001 Toolkit then this is the ISO27001 Annex A 5.7 Threat Intelligence Templates. Both the threat intelligence process and the threat intelligence report.

ISO27001 5.7 Threat Intelligence Template

DO IT YOURSELF ISO 27001

All the templates, tools, support and knowledge you need to do it yourself.

How to comply

To comply with ISO 27001 Annex A 5.7 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

  • Establish and document objectives for threat intelligence production
  • Identify, vet, list and document internal and external sources of information
  • Collect the information
  • Prepare the information for analysis for example by formatting or translating it
  • Analyse information to understand how it relates to you
  • Communicate and share information to relevant people in a way they will understand it

How to pass an audit

To pass an audit of ISO 27001 Annex A 5.7 Threat Intelligence you are going to make sure that you have followed the steps above in how to comply.

What will an auditor check?

The audit is going to check a number of areas. Lets go through the main ones

1. That you are gathering threat intelligence and analysing it

What this means is that you need to show that you have a list of sources of threat intelligence information, have records of collecting and show reports where you have shared and communicated it.

2. That you have taken action as a result of threat intelligence

The process may be straightforward. You may have updated a system, changed a configuration, introduced or removed a tool, had an incident that was managed via the incident management process. What ever the course of action you will have records of action taken and audit trails.

3. That threat intelligence forms part of risk management and operations

Your risk management process will factor in and evidence threat intelligence. Your risk register may take account of threat intelligence and emerging or realised risks.

Top 3 Mistakes People Make

In my experience, the top 3 Mistakes People Make For ISO 27001 Annex A 5.7 Threat Intelligence are

1. You are not collecting or using threat intelligence

This is a new control so one that is easy to overlook. Make sure to follow the control requirements and be able to evidence its operation.

2. You rely only on internal threat intelligence

Internal threat intelligence is easy to collect but does not provide for the wider picture. Be sure to include external sources of threat intelligence data.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

ISO 27001 Annex A 5.7 FAQ

Is threat intelligence a new ISO 27001 control?

Yes threat intelligence is a new ISO 27001 control and a new requirement for ISO 27001 certification

What are the 3 layers of threat intelligence?

The 3 layers of threat intelligence are:
Strategic Threat Intelligence: high level information about the threat landscape
Tactical Threat Intelligence: intelligence on tools, techniques and attack methodologies
Operational Threat Intelligence: intelligence on specific attacks and indicators

When was threat intelligence added to ISO 27001?

Threat intelligence was added as an ISO 27001 control in 2022.

What clause of ISO 27001 covers threat intelligence?

ISO 27001 Annex A 5.7 covers threat intelligence.

What clause of ISO 27002 covers threat intelligence?

ISO 27002 clause 5.7 covers threat intelligence.

What is the difference between ISO 27001 Annex A 5.7 and ISO 27002 clause 5.7?

Nothing, they are the same thing. ISO 27002 is a standard in its own right and is included as an Annex to the ISO 27001 standard. As such it is often referred to as Annex A but it is a different name for the same thing.

How long will ISO 27001 Annex A 5.7 threat intelligence take me?

ISO 27001 Annex A 5.7 will take approximately 1 day to setup if you are starting from nothing and doing it yourself.

How much will ISO 27001 Annex A 5.7 threat intelligence cost me?

It can be free. It depends if you want to subscribe to the new services that have sprung up to offer this information at a cost.

ISO 27001 Controls and Attribute Values

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveConfidentialityIdentify Threat and
vulnerability
management
Defence
CorrectiveIntegrityDetectResilience
DetectiveAvailabilityRespond