Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
“Information relating to information security threats shall be collected and analysed to produce threat intelligence.”
Plain-language meaning
The organization must collect threat information, analyze it in context, and turn it into usable intelligence for decisions.
Raw threat feeds are not enough. News headlines are not enough. Threat intelligence exists when information is assessed, contextualized, and used to improve risk decisions, controls, monitoring, incident response, or management awareness.
Why this matters
Risk assessment based only on internal history is weak. If an organization has not yet experienced ransomware, supply-chain compromise, credential stuffing, or cloud misconfiguration abuse, that does not mean the risk is low.
Threat intelligence helps the ISMS answer:
- What threats are relevant to us?
- Which threat actors, techniques, sectors, regions, or technologies matter?
- What changed recently?
- What controls need attention?
- What risks should be reassessed?
- What should management know now?
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
1. Define threat intelligence scope
Threat intelligence should match the organization’s context.
Relevant dimensions:
| Dimension | Example |
|---|---|
| Sector | Healthcare, finance, public sector, SaaS, manufacturing |
| Geography | Countries of operation, geopolitical exposure |
| Technology | Cloud platforms, identity systems, endpoints, OT, SaaS tools |
| Assets | Customer data, payment data, intellectual property, regulated systems |
| Threat type | Ransomware, phishing, insider misuse, supply-chain compromise |
| Business model | Remote workforce, online services, outsourced operations |
This links directly to Information Security Management System, Risk Assessment, and Field of Application, Usage, and Compliance.
2. Select sources
Sources can include:
- national CERT/CSIRT alerts;
- vendor advisories;
- sector ISACs or specialist groups;
- vulnerability databases;
- security researchers;
- managed security providers;
- incident reports;
- peer communities;
- commercial threat intelligence services;
- internal monitoring and incident data.
Do not blindly trust one source. Threat intelligence varies in accuracy.
3. Analyze and contextualize
The key question is: “What does this mean for us?”
| Raw information | Intelligence question |
|---|---|
| New vulnerability in a product | Do we use it? Is it exposed? Is there active exploitation? |
| Sector ransomware warning | Are our controls ready? Are backups tested? |
| Credential phishing campaign | Are our users targeted? Do we need awareness or detection updates? |
| Geopolitical alert | Do we operate in affected regions or supply chains? |
| New attack technique | Do our logs and controls detect it? |
4. Connect intelligence to ISMS decisions
Threat intelligence should feed:
- Risk Assessment;
- risk treatment decisions;
- Statement of Applicability review;
- control tuning;
- incident response playbooks;
- awareness training;
- vulnerability management priorities;
- supplier reviews;
- management briefings;
- Management Review.
If threat intelligence does not change decisions or confirm that no change is needed, it is probably just reading material.
5. Protect the research process
Threat research can leak information.
Personnel should be trained not to disclose sensitive organizational details in:
- public forums;
- search queries;
- AI tools;
- malware analysis environments;
- vendor portals;
- social media;
- community chat groups.
Threat intelligence work should comply with legal, regulatory, and contractual requirements. Staff should not perform risky investigation techniques without authorization and safe tooling.
6. Keep intelligence current
Threat intelligence is time-sensitive.
Define:
- review frequency;
- source owners;
- triage criteria;
- confidence levels;
- severity or relevance ratings;
- escalation paths;
- records of decisions and actions.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should verify that the organization has a repeatable process for collecting, analyzing, validating, and using threat information.
Interview people responsible for risk decisions and control selection. The test is whether external threat information influences the ISMS in a traceable way.
Good audit questions:
- What threat sources do you use?
- How do you decide whether a threat is relevant?
- How do you validate intelligence quality?
- How does intelligence feed risk assessment?
- When did threat intelligence last change a control, risk rating, or management briefing?
- How do you protect sensitive information during research?
- Who receives threat intelligence outputs?
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
| Evidence | What it proves |
|---|---|
| Threat intelligence procedure | Process is defined and repeatable |
| Threat source register | Sources are identified and owned |
| Intelligence reports or briefings | Information is analyzed and communicated |
| Risk register updates | Intelligence affects risk decisions |
| Control tuning records | Intelligence affects controls |
| Vulnerability prioritization records | Threat context influences remediation |
| Management briefings | Significant threats reach decision-makers |
| Training for threat researchers | Research is performed safely and legally |
| Validation criteria | Intelligence is checked for reliability |
| Incident response updates | Intelligence improves preparedness |
Strong evidence
- Threat intelligence process defines sources, triage, analysis, validation, ownership, and escalation.
- Intelligence is mapped to assets, risks, controls, and business context.
- Recent intelligence led to documented decisions or control changes.
- Management receives concise threat briefings relevant to the organization.
- Threat research guidance warns staff about information leakage and legal limits.
- Confidence and relevance are assessed before action.
- Threat intelligence feeds risk assessment and the Statement of Applicability review.
Weak evidence
- A threat feed is subscribed to but not reviewed.
- Security newsletters are forwarded without analysis.
- Intelligence is not linked to assets, risks, or controls.
- No one can explain how threats affect risk treatment.
- No process exists to validate threat information.
- Staff use public searches or AI tools with sensitive internal details.
- Management receives either no threat intelligence or raw technical noise.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| Confusing feeds with intelligence | Collection without analysis does not support decisions |
| No organizational context | Threats cannot be prioritized properly |
| No validation | Bad intelligence leads to wasted effort or missed risk |
| No link to risk management | Intelligence does not improve the ISMS |
| Overreaction to headlines | Controls become unbalanced or over-protective |
| Under-sharing with management | Decision-makers do not see emerging risk |
| Unsafe research practices | Staff may expose sensitive information or create legal risk |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- Threat information is not the same as threat intelligence. Intelligence requires analysis and context.
- A paid feed alone does not satisfy the control.
- Threat intelligence must support risk and control decisions, not just awareness.
- Internal incident history is not enough. External threat information matters.
- AI/search usage can leak sensitive details; research must be controlled.
- Threat intelligence can be strategic, tactical, or operational, but the exam usually tests whether it is collected, analyzed, contextualized, and used.
Related controls and concepts
- A.5.5 Contact with Authorities
- A.5.6 Contact with Special Interest Groups
- Risk Assessment
- Statement of Applicability
- Control Attributes and Risk Treatment Effects
- Management Review
- Internal Audit
- Information Security Management System
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.7 requires the organization to collect and analyze threat information to produce threat intelligence. The practical test is whether threat information is contextualized for the organization and used to support risk assessment, control selection, control tuning, incident readiness, vulnerability prioritization, and management decision-making.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Threat intelligence
- Risk assessment
- Threat management
- Audit
Note Metadata
Aliases: A.5.7, Threat Intelligence
Source: 02 Annex A Organizational Controls/A.5.7 Threat Intelligence.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
10
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- ISO27001 ISMS KB - Start Here
- Control Attributes and Risk Treatment Effects
- Field of Application, Usage, and Compliance
- Information Security Management System
- Internal Audit
- Management Review
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.24 - Information Security Incident Management Planning and Preparation
- ISO 27001 A.5.5 - Contact with Authorities
- ISO 27001 A.5.6 - Contact with Special Interest Groups
- ISO 27001 A.5.8 - Information Security in Project Management
- A.5 Organizational Controls MOC
- A.5.6 Audit Evidence Pack
- A.5.7 Audit Evidence Pack
- AQ-ISO27001-A.5.7 Threat Intelligence
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.7 Threat Intelligence
- EVID-0001 Monthly Threat Intelligence Review
- EVID-0002 IOC Update Record
- EVID-0003 SIEM Rule Update
- EVID-0004 Vendor Advisory Review
- A.5 Controls Implementation Audit Risk Mapping
- ISO 27002 Annex A Control Interpretation Map
- Asset Threat Vulnerability Risk Control Evidence Data Model
- A.5.7 Audit Checklist
- Template - Management Review Input Checklist
- Template - Risk and Control Mapping Table
- Special Interest Group Participation Register
- Threat Intelligence Register
- Annex A Controls MOC