Threat Intelligence

It is an organizational control requiring the collection and analysis of information regarding security threats to produce actionable intelligence that informs risk management and control selection.

Implementation involves identifying relevant data sources (vendor alerts, government feeds), establishing a process to analyze this data for relevance to your organization, and distributing the findings to key stakeholders to take action. WatchDog Security's Compliance Center can help document the review cadence and retain evidence that intelligence was evaluated and communicated.

Auditors look for subscriptions to threat feeds, reports analyzing specific threats, evidence that risk assessments were updated based on new threats, and tickets showing remediation of vulnerabilities identified through intelligence. WatchDog Security's Compliance Center can map these artifacts to Annex A.5.7, and WatchDog Security's Vulnerability Management can provide the remediation trail and MTTR analytics.

While ISO doesn't strictly define them, industry best practice (and ISO 27002 guidance) categorizes them as Strategic (high-level trends for management), Tactical (TTPs for defenders), and Operational (specific IOCs and technical details).

Threat intelligence provides the data necessary to accurately estimate the 'Likelihood' of a risk occurring; without current threat data, risk assessments are merely theoretical guesses. WatchDog Security's Risk Register can help capture the intelligence source as rationale for likelihood scoring and maintain an auditable history of updates.

Valid sources include vendor security notifications, government advisories (CISA, NCSC), industry ISACs, reputable security news outlets, and automated threat feeds integrated into security tools.

Yes, as an Annex A control, it must be implemented or justifiably excluded in the Statement of Applicability; however, excluding it is rarely acceptable in the modern threat landscape.

A.5.7 is a completely new control in the 2022 version. In the 2013 version, threat intelligence was implied through relationships with special interest groups and vulnerability management, but it is now an explicit requirement.

Threat intelligence often stalls at "interesting reading" unless it is connected to a workflow that assigns ownership and tracks fixes. WatchDog Security's Vulnerability Management can ingest findings from multiple sources, prioritize them with triage workflows, and track MTTR, helping teams prove that intelligence drove remediation rather than sitting in a report.

Auditors look for traceability: what intelligence was reviewed, what decision it triggered, and where that decision is recorded. WatchDog Security's Risk Register can link emerging threats to likelihood changes, treatments, and owners, while WatchDog Security's Compliance Center can organize the supporting evidence (feed subscriptions, review notes, tickets) against Annex A.5.7.