What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that threat information is collected, analyzed, validated, contextualized, and used to support risk assessment, risk treatment, control improvement, incident readiness, and management awareness.
Evidence to request
| Evidence | Purpose |
|---|---|
| Threat intelligence procedure | Shows the process is defined and repeatable |
| Threat source register | Shows sources are identified and owned |
| Threat intelligence register or reports | Shows information is analyzed |
| Risk register updates | Shows intelligence influences risk decisions |
| Control tuning records | Shows intelligence improves controls |
| Vulnerability prioritization records | Shows threat context affects remediation |
| Incident response updates | Shows intelligence improves preparedness |
| Management threat briefings | Shows decision-makers receive relevant information |
| Validation or confidence criteria | Shows quality is assessed |
| Research safety guidance | Shows staff avoid legal, privacy, and leakage risks |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Threat intelligence process defines sources, triage, analysis, validation, ownership, and escalation.
- Intelligence is linked to assets, risks, controls, and business context.
- Recent intelligence led to a documented risk decision, control change, or management briefing.
- Staff assess confidence and relevance before action.
- Threat research guidance prevents sensitive data leakage.
- Intelligence feeds Risk Assessment, Statement of Applicability, and Management Review where relevant.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Threat feed exists but is not reviewed.
- Newsletters are forwarded without analysis.
- No link between intelligence and risk decisions.
- Management receives raw technical noise or nothing.
- No validation process.
- Staff use public tools or AI prompts with sensitive internal information.
- Intelligence is not current.
Sample interview questions
Ask security or risk staff
- What threat sources do you use?
- How do you decide whether a threat is relevant?
- How do you validate confidence or reliability?
- How does intelligence feed risk assessment?
- What changed recently because of threat intelligence?
- How do you avoid leaking sensitive information during research?
Ask management
- Do you receive threat briefings?
- How are significant threats translated into business impact?
- When does threat intelligence trigger management action?
Ask control owners
- Have threat updates changed your control operation?
- How do you know whether a new threat affects your assets?
Common nonconformities
- Confusing raw feeds with analyzed intelligence.
- No organizational context applied.
- No repeatable process.
- No validation of sources or confidence.
- No link to risk treatment or controls.
- Unsafe research practices.
- No evidence that intelligence reaches decision-makers.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 7
Note Metadata
Aliases: A.5.7 Evidence
Source: 04 Audit Evidence Packs/A.5.7 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Management Review
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.7 - Threat Intelligence
- Audit Evidence MOC
- AQ-ISO27001-A.5.7 Threat Intelligence
- A.5 Organizational Controls Audit Guide
- Asset Threat Vulnerability Risk Control Evidence Data Model
- A.5.7 Audit Checklist
- Threat Intelligence Register
- Audit Evidence Index