ISO 27001:2022 Annex A Control 5.7: Threat Intelligence

The aim of threat intelligence is to enhance an organisation’s understanding of the potential cyber threats that it may be subject to in the future. This can be done by collecting and analysing data relating to existing or future attacks that may be found within the organisation’s industry or beyond.

Threats to an organisation may vary but they generally relate to the confidentiality and availability of information. If a threat actor gains access to an organisation’s information or information system, they may choose to steal, copy, withhold or destroy sensitive data, causing disruption, damage and financial loss to a business.

Information security threats may occur internally or externally.

Threat intelligence: what you need to know

Annex 5.7 requires organisations to collect, analyse and produce threat intelligence that relates to information security threats. One example of this might be identifying how a threat actor gains entry to a network, which can provide valuable insight into how that vulnerability can be managed and mitigated.

According to the International Organisation for Standardisation (ISO) there are three levels of intelligence to be considered: strategic, tactical and operational.

Responding to and recovering from an attack may depend on an organisation’s understanding of the threat environment and the strength of its security posture in the face of those known risks.

Importantly, an organisation should continue to review and revisit its threat intelligence on a regular basis as new threats emerge all the time. To comply with Annex 5.7, an organisation must periodically:

• Review its threat environment
• Review both internal and external threat sources
• Consider new trends and novel attack vectors
• Build defences capable of mitigating security threats and maintaining a good risk posture

What’s changed from ISO 27001:2013?

ISO 27001:2022 Annex A control 5.7 threat intelligence is a new annex in the standard.