UnixTime

Research Note

ISO 27001 A.5.7 - Threat Intelligence

The organization must collect threat information, analyze it in context, and turn it into usable intelligence for decisions.

On this page

Requirement

Requirement lens

Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.

“Information relating to information security threats shall be collected and analysed to produce threat intelligence.”

Plain-language meaning

The organization must collect threat information, analyze it in context, and turn it into usable intelligence for decisions.

Raw threat feeds are not enough. News headlines are not enough. Threat intelligence exists when information is assessed, contextualized, and used to improve risk decisions, controls, monitoring, incident response, or management awareness.

Why this matters

Risk assessment based only on internal history is weak. If an organization has not yet experienced ransomware, supply-chain compromise, credential stuffing, or cloud misconfiguration abuse, that does not mean the risk is low.

Threat intelligence helps the ISMS answer:

  • What threats are relevant to us?
  • Which threat actors, techniques, sectors, regions, or technologies matter?
  • What changed recently?
  • What controls need attention?
  • What risks should be reassessed?
  • What should management know now?

Implementation guidance

Implementer focus

Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.

1. Define threat intelligence scope

Threat intelligence should match the organization’s context.

Relevant dimensions:

Dimension Example
Sector Healthcare, finance, public sector, SaaS, manufacturing
Geography Countries of operation, geopolitical exposure
Technology Cloud platforms, identity systems, endpoints, OT, SaaS tools
Assets Customer data, payment data, intellectual property, regulated systems
Threat type Ransomware, phishing, insider misuse, supply-chain compromise
Business model Remote workforce, online services, outsourced operations

This links directly to Information Security Management System, Risk Assessment, and Field of Application, Usage, and Compliance.

2. Select sources

Sources can include:

  • national CERT/CSIRT alerts;
  • vendor advisories;
  • sector ISACs or specialist groups;
  • vulnerability databases;
  • security researchers;
  • managed security providers;
  • incident reports;
  • peer communities;
  • commercial threat intelligence services;
  • internal monitoring and incident data.

Do not blindly trust one source. Threat intelligence varies in accuracy.

3. Analyze and contextualize

The key question is: “What does this mean for us?”

Raw information Intelligence question
New vulnerability in a product Do we use it? Is it exposed? Is there active exploitation?
Sector ransomware warning Are our controls ready? Are backups tested?
Credential phishing campaign Are our users targeted? Do we need awareness or detection updates?
Geopolitical alert Do we operate in affected regions or supply chains?
New attack technique Do our logs and controls detect it?

4. Connect intelligence to ISMS decisions

Threat intelligence should feed:

If threat intelligence does not change decisions or confirm that no change is needed, it is probably just reading material.

5. Protect the research process

Threat research can leak information.

Personnel should be trained not to disclose sensitive organizational details in:

  • public forums;
  • search queries;
  • AI tools;
  • malware analysis environments;
  • vendor portals;
  • social media;
  • community chat groups.

Threat intelligence work should comply with legal, regulatory, and contractual requirements. Staff should not perform risky investigation techniques without authorization and safe tooling.

6. Keep intelligence current

Threat intelligence is time-sensitive.

Define:

  • review frequency;
  • source owners;
  • triage criteria;
  • confidence levels;
  • severity or relevance ratings;
  • escalation paths;
  • records of decisions and actions.

Audit guidance

Auditor focus

Look for evidence that the process operates in practice, not just that a document exists.

Auditors should verify that the organization has a repeatable process for collecting, analyzing, validating, and using threat information.

Interview people responsible for risk decisions and control selection. The test is whether external threat information influences the ISMS in a traceable way.

Good audit questions:

  • What threat sources do you use?
  • How do you decide whether a threat is relevant?
  • How do you validate intelligence quality?
  • How does intelligence feed risk assessment?
  • When did threat intelligence last change a control, risk rating, or management briefing?
  • How do you protect sensitive information during research?
  • Who receives threat intelligence outputs?

Evidence examples

Evidence quality

Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.

Evidence What it proves
Threat intelligence procedure Process is defined and repeatable
Threat source register Sources are identified and owned
Intelligence reports or briefings Information is analyzed and communicated
Risk register updates Intelligence affects risk decisions
Control tuning records Intelligence affects controls
Vulnerability prioritization records Threat context influences remediation
Management briefings Significant threats reach decision-makers
Training for threat researchers Research is performed safely and legally
Validation criteria Intelligence is checked for reliability
Incident response updates Intelligence improves preparedness

Strong evidence

  • Threat intelligence process defines sources, triage, analysis, validation, ownership, and escalation.
  • Intelligence is mapped to assets, risks, controls, and business context.
  • Recent intelligence led to documented decisions or control changes.
  • Management receives concise threat briefings relevant to the organization.
  • Threat research guidance warns staff about information leakage and legal limits.
  • Confidence and relevance are assessed before action.
  • Threat intelligence feeds risk assessment and the Statement of Applicability review.

Weak evidence

  • A threat feed is subscribed to but not reviewed.
  • Security newsletters are forwarded without analysis.
  • Intelligence is not linked to assets, risks, or controls.
  • No one can explain how threats affect risk treatment.
  • No process exists to validate threat information.
  • Staff use public searches or AI tools with sensitive internal details.
  • Management receives either no threat intelligence or raw technical noise.

Common failures

Implementation watchouts

These are the fastest ways this topic fails in real ISMS work.

Failure Why it matters
Confusing feeds with intelligence Collection without analysis does not support decisions
No organizational context Threats cannot be prioritized properly
No validation Bad intelligence leads to wasted effort or missed risk
No link to risk management Intelligence does not improve the ISMS
Overreaction to headlines Controls become unbalanced or over-protective
Under-sharing with management Decision-makers do not see emerging risk
Unsafe research practices Staff may expose sensitive information or create legal risk

Exam traps

Exam focus

Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.

  • Threat information is not the same as threat intelligence. Intelligence requires analysis and context.
  • A paid feed alone does not satisfy the control.
  • Threat intelligence must support risk and control decisions, not just awareness.
  • Internal incident history is not enough. External threat information matters.
  • AI/search usage can leak sensitive details; research must be controlled.
  • Threat intelligence can be strategic, tactical, or operational, but the exam usually tests whether it is collected, analyzed, contextualized, and used.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

A.5.7 requires the organization to collect and analyze threat information to produce threat intelligence. The practical test is whether threat information is contextualized for the organization and used to support risk assessment, control selection, control tuning, incident readiness, vulnerability prioritization, and management decision-making.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Organizational controls
  • Threat intelligence
  • Risk assessment
  • Threat management
  • Audit

Note Metadata

Aliases: A.5.7, Threat Intelligence

Source: 02 Annex A Organizational Controls/A.5.7 Threat Intelligence.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

10

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Audit checks

Audit questions, checklists, or review material connected to the control.

04

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.