TTPs (Tactics, Techniques, Procedures) describe attacker behavior at three levels of abstraction. Tactics represent high-level goals (e.g., initial access), techniques are the specific methods used (e.g., spear-phishing), and procedures are the detailed execution steps. The MITRE ATT&CK framework is the most widely adopted systematization of TTPs. In an ISMS, TTPs help you model threat scenarios realistically and align security controls with known attack patterns.