Threat Intelligence in ISO 27001:2022

April 24th, 2023 Posted in ISO 27001


ISO 27001 is a globally recognised standard that specifies the requirements for an Information Security Management System (ISMS). It provides a framework for organisations to manage and protect their sensitive information assets against various threats. ISO 27001 has been revised with a new version of the standard published in October 2022.

Changes in ISO 27001:2022

ISO 27001:2022 has brought with it a number of changes, to read a more in-depth view of these changes – this recent blog post highlights the key differences in ISO 27001 2022. Part of the revised standard includes a new control focused on Threat intelligence (5.7) that requires your organisation to identify, collect and process information relating to security threats, and use this information to take informed actions to prevent threats or reduce the impact of threats.

In this blog, we highlight threat intelligence in ISO 27001:2022 and will cover:

  • What is threat intelligence?
  • What are the 3 layers of threat intelligence?
  • What activities are required to meet the new control?
  • What benefits can threat intelligence provide?

Definition of threat intelligence

ISO 27002:2022 defines threat intelligence as “information about existing or emerging threats collected and analysed in order to:

  • Facilitate informed actions to prevent the threats from causing harm to the organisation, and
  • Reduce the impact of such threats.”

You can think of threat intelligence as an early warning system, letting you know that a new threat type or attack vector may be relevant to your organisation. It is really important therefore to have a process for the identification and collection of threat intelligence information, as well as a full understanding of what to do with the information once you have it.

Layers of threat intelligence

Threat intelligence can be obtained from various sources, both internal and external. Internal sources include network logs, system logs, and other security tools used by the organisation. External sources may include reports from government agencies, security vendors, and other industry experts. Threat intelligence can be obtained in real-time, near real-time, or retrospectively.

The ISO 27001:2022 Standard and guidance provided in ISO27002:2022 divide threat intelligence into three distinct types or “layers”, all of which should be considered:

  • Strategic threat intelligence: the exchange of high-level information about the changing threat landscape
  • Tactical threat intelligence: information about attacker methodologies, tools and the technologies involved
  • Operational threat intelligence: details about specific attacks, including technical indicators (Indicators of Compromise).

Understanding the different types of threat intelligence will enable you to share information with the right stakeholders both internally and externally, as well as ensure that you can take appropriate action to mitigate the threat.

Activities required for managing threat intelligence in ISO 27001

The Standard describes the activities required when creating a framework for the management of threat intelligence, including:

  • Establishing objectives for the management of threat intelligence
  • Identifying, vetting and selecting internal and external information sources that are necessary and appropriate to provide the information required for the production of threat intelligence
  • Collecting information from the selected sources
  • Processing information collected to prepare it for analysis
  • Analysing information to understand how it relates and is meaningful to the organisation
  • Communicating and sharing it with relevant individuals in a format that can be understood.

Organisations should have a dedicated person or team responsible for collecting, analysing, and disseminating threat intelligence. They should also use automated tools to collect and analyse data to improve the speed and accuracy of threat detection.

You have obtained threat intelligence, what next?

The Standard requires that threat intelligence is analysed and used, by implementing processes that include threat intelligence information into your security risk management processes, as additional input to technical preventative and detective controls such as firewalls or anti-malware solutions, and as input to the information security test processes and techniques. It would be wise to describe the ways in which your organisation uses threat intelligence in a formal policy and procedure, to ensure that threat intelligence is consistently utilised.

What are the benefits of utilising threat intelligence?

One of the key benefits of threat intelligence is that it can help organisations detect and respond to cyber-attacks faster. Threat intelligence enables organisations to identify attacks before they occur, reducing the risk of damage to their information assets. It also allows organisations to respond to attacks more quickly, minimising the impact on their operations and reputation.

Threat intelligence also helps organisations improve their overall security posture. Providing insights into new and emerging threats enables organisations to remain up-to-date with the latest cybersecurity trends and adopt appropriate security controls. In this way, threat intelligence helps companies stay ahead of threats and protects their information assets more effectively.

Thinking about getting ISO 27001 certification?

If you are thinking of gaining ISO certification, we’re here to help wherever you are on your decision path. We can help with an initial workshop, carry out a full gap analysis, support your ISO project or manage your ISMS for you. We are also best placed to provide you with a list of recommended UKAS-accredited certification bodies for when you are ready to certify to the ISO 27001 standard.

If you are considering integrating ISO 27001 and ISO 9001 into one management system, we can also help you with this.

If you’d like to understand more about our ISO services, we’d be delighted to hear from you. You can find out more about our services here and you can contact us here.

  • This field is for validation purposes and should be left unchanged.



Chris Stone

Written by Chris Stone

Chris consults on information and IT security compliance, security assurance and incident response and is a certified ISO 27001 Lead Auditor. He has worked in security compliance and access management analysis and assurance in the travel and financial services sectors.