ISO 27001 A.5.7: Threat intelligence
What This Control Requires
Information relating to information security threats shall be collected and analysed to produce threat intelligence.
In Plain Language
Waiting for an attack to happen before learning about the threat is a losing strategy. This control - new in ISO 27001:2022 - requires you to proactively collect, analyse, and act on threat intelligence relevant to your business.
Threat intelligence works at three levels. Strategic intelligence helps you understand the broader threat landscape and trends. Tactical intelligence covers attacker techniques, tactics, and procedures. Operational intelligence gives you specific indicators of compromise you can act on right now. You need coverage across all three, scaled to your size and risk profile.
Raw threat data on its own is just noise. It becomes valuable intelligence only when you evaluate it against your specific environment, assets, and vulnerabilities. The real question is always: does this threat affect us, and what should we do about it?
How to Implement
Define what intelligence you actually need based on your risk assessment, industry, and technology stack. Then set up a programme that covers where you will source it, how you will process it, and how it will feed into security decisions.
Subscribe to relevant sources: commercial threat intelligence feeds, open-source intelligence (OSINT), government and sector advisories (CISA, NCSC, your sector ISAC), vendor security bulletins, and dark web monitoring if appropriate. Balance breadth with your team's capacity to actually process the information - more feeds are not better if nobody reads them.
Set up a collection and analysis workflow. A threat intelligence platform (TIP) is useful if volume warrants it, but smaller organisations can manage with curated mailing lists, RSS feeds, and weekly manual reviews. The key is being systematic rather than relying on ad hoc browsing.
Evaluate incoming intelligence for relevance, credibility, and actionability. Frameworks like MITRE ATT&CK or the Kill Chain help structure your analysis. Produce reports tailored to different audiences: executive summaries for the board, tactical reports for security operations, and technical indicators for IT teams.
Integrate intelligence into your operations. Feed indicators of compromise into your SIEM. Use threat data to prioritise patching and vulnerability management. Update your incident response plans based on current attacker techniques. Track metrics like mean time to detect and respond to measure whether your programme is actually working.
Evidence Your Auditor Will Request
- Documented threat intelligence program with defined sources and processes
- Records of threat intelligence collected and analyzed over the review period
- Evidence of threat intelligence being used to inform security decisions and control updates
- Threat intelligence reports produced for management and technical teams
- Integration of threat intelligence into monitoring, SIEM, or vulnerability management
Common Mistakes
- No systematic process for collecting and analyzing threat intelligence
- Threat intelligence is collected but not analyzed for organizational relevance
- Intelligence does not flow from collection to operational security teams
- Organization relies on a single source of threat intelligence without validation
- No connection between threat intelligence and security control adjustments
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC7.2 | Related |
| SOC 2 | CC3.2 | Partial overlap |
| NIS2 | Art.21(2)(a) | Related |
Frequently Asked Questions
Is this control new in ISO 27001:2022?
How can small organizations implement threat intelligence without a dedicated team?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment