Threat Intelligence - ISO 27001 Annex A Control

ISO 27001 Annex A 5.7

The threats facing you change - your understanding of them needs to keep up.

ISO 27001 Annex A 5.7 - Threat Intelligence

Threat intelligence was new in the 2022 edition of ISO 27001. It recognises that information security risk has to be informed by what is actually happening in the wider world. A risk register based on a generic list of theoretical threats is less useful than one informed by what attackers are doing right now in the relevant sector.

Threat intelligence comes in three layers. Strategic intelligence covers the broad landscape - what kinds of attackers are active, what motivations they have, what technologies are being targeted. Tactical intelligence covers the techniques being used - the methods, tools and procedures attackers favour. Operational intelligence covers specific indicators - addresses, file hashes, signatures of active campaigns.

For most organisations, the strategic and tactical layers are what matter most for the risk register and policy decisions. Operational intelligence is more relevant to detection and response systems. The control does not require all three to be processed in detail. It requires that threat intelligence is collected and used in a way that fits the organisation\'s scale and risk profile.

Threat intelligence sounds heavy but for most organisations it is not that complicated. Read the NCSC (National Cyber Security Centre) weekly briefings. Read the vendor advisories for the systems you run. Read what your sector is reporting. When something significant comes up, ask the question - does this change our risk picture, and if so what do we do about it.

Practical Compliance Guidance

Threat intelligence is described in the IMS1 Manual Section 8.4 on information security risk management. Web filtering and threat data is also covered in Section 8.3 on IT equipment and physical security.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit, including the IMS1 Manual, information security risks register, policy-procedures, forms, registers and audit checklists.
ER15 Information Security Risks	The information security risk register. Threat intelligence findings get recorded here as identified threats with assessment of likelihood, impact and any treatment required.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Do we need a paid threat intelligence feed?

Not unless the risk profile justifies it. For many UK organisations, free sources such as NCSC (National Cyber Security Centre) publications, sector advisories and vendor security bulletins are sufficient. Paid feeds make sense for higher-risk environments where operational indicators need to feed into detection systems.

How is threat intelligence different from risk assessment?

Risk assessment evaluates the organisation's vulnerabilities and the impact if they were exploited. Threat intelligence is the input on what threats are realistic and active. Threat intelligence informs the risk assessment - it does not replace it.

How often should we review threat intelligence?

There is no fixed frequency. Most organisations review the strategic and tactical picture as part of regular risk management activities, with operational alerts handled in real time. Significant new threats trigger an out-of-cycle risk register update.

Further Resources