The basics
ISO 27001 control A.5.7 Threat intelligence requires organizations to gather information about threats and analyze them in order to take appropriate mitigation actions. This is a completely new control in the 2022 edition of the standard.
Documentation
ISO 27001 control A.5.7 Threat intelligence can be documented:
- for smaller companies by writing an Incident Management Procedure
- for mid-sized and larger companies by writing a Threat Intelligence Procedure
These procedures are not mandatory but are recommended.
Implementation
In order to comply with control A.5.7 Threat intelligence you might implement the following:
- Technology — the technology for threat intelligence to be gathered and analyzed could include software, hardware, or networks. Smaller companies will probably be able to extract threat intelligence from their own existing systems (e.g., fault logs collected from systems, servers, and network devices), whereas larger companies probably need some software that alerts them to new threats, vulnerabilities, and incidents (e.g., SIEM solutions).
- Organization/processes — you should set up a process for gathering and using the threat information to introduce preventive controls in your IT systems, improve your risk assessment, and introduce new methods for security testing. You can document those processes through Incident Management Procedure or Threat Intelligence Procedure.
- People — make employees aware of why threat intelligence is needed, and train them on how and to whom these threats are to be communicated.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.7 Threat intelligence: if information about threats is gathered and analyzed.
