Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · Organisational Control

A.5.7 — Threat Intelligence

Updated on 4 min Reviewed by: Cenedril Editorial
A.5.7 ISO 27001ISO 27002BSI DER.1

A new ransomware campaign targets organisations using a specific VPN product. The threat intelligence team picks up indicators of compromise from an ISAC feed on Tuesday, blocks the known C2 domains by Wednesday and patches the exploited vulnerability by Thursday. A.5.7 makes this kind of proactive defence possible by requiring the organisation to collect, analyse and act on threat intelligence.

Threat intelligence transforms security from reactive to anticipatory. Instead of waiting for an incident and then investigating, the organisation continuously monitors the threat landscape and adjusts its defences accordingly.

What does the standard require?

  • Collect threat information. Gather intelligence from multiple sources — government advisories, CERT feeds, vendor bulletins, commercial threat intelligence services, open-source intelligence (OSINT) and industry sharing groups.
  • Analyse and contextualise. Raw data becomes intelligence only when it is analysed in the context of the organisation’s own environment. Evaluate which threats are relevant to the organisation’s technology stack, sector and geography.
  • Produce actionable output. Threat intelligence must lead to concrete actions: updating firewall rules, patching specific vulnerabilities, adjusting monitoring rules, informing risk assessments or briefing management on emerging risks.
  • Operate at three levels. Strategic intelligence informs management decisions, tactical intelligence guides security architecture and operational intelligence feeds directly into detection and response tools.

In practice

Define intelligence requirements. Before subscribing to feeds, clarify what the organisation needs to know. Which threat actors target your sector? Which attack vectors are most relevant? What geopolitical risks affect your supply chain? Intelligence requirements prevent information overload and focus analysis on what matters.

Build a triage workflow. Incoming intelligence items should follow a defined path: receive, assess relevance, assign priority, route to the responsible team, track the action taken. Without triage, intelligence drowns in noise.

Feed indicators into detection systems. Operational intelligence — indicators of compromise like malicious IPs, domains and file hashes — should be ingested into SIEM, IDS/IPS and endpoint detection tools. Automate this integration wherever possible.

Brief management regularly. Strategic threat intelligence belongs in the management review. Present trends, emerging threats and the organisation’s exposure in terms that management can use for resource allocation and strategic planning.

Typical audit evidence

Auditors typically expect the following evidence for A.5.7:

  • Threat intelligence source register — documented list of subscribed feeds, services and communities
  • Triage and analysis records — evidence that incoming intelligence was evaluated and prioritised
  • Action records — showing that relevant intelligence led to concrete security measures (patches, rule updates, risk register entries)
  • Management briefings — slides or minutes from strategic threat intelligence presentations
  • Integration evidence — configuration showing that IoC feeds are ingested into detection tools

KPI

% of identified threat intelligence sources that are actively monitored and evaluated

This KPI measures operational coverage. Target: 100% of subscribed sources are actively monitored. A source that is subscribed but unread provides no value. Track both the number of sources and the percentage that are actively triaged.

Supplementary KPIs:

  • Average time from intelligence receipt to triage decision
  • Number of threat intelligence items that led to defensive actions per quarter
  • Percentage of critical vulnerabilities identified through threat intelligence before public disclosure

BSI IT-Grundschutz

A.5.7 maps to an extensive set of BSI requirements:

  • DER.1.A12 (Evaluation of information from external sources) — systematic collection and evaluation of security-relevant information from CERTs, advisories and threat feeds.
  • OPS.1.1.1.A10 (System monitoring) — integration of external threat indicators into system monitoring.
  • OPS.1.1.1.A20 (Protection against APT) — advanced threat intelligence to detect and counter targeted attacks.
  • OPS.1.1.1.A22 and A23 (Central detection and evaluation) — centralised analysis of security events enriched with external intelligence.
  • DER.2.1.A9 (Escalation strategy) — threat intelligence informs escalation decisions during incident response.
  • IND.1.A12 (Integration for industrial environments) — sector-specific threat intelligence for operational technology.

A.5.7 feeds intelligence into multiple ISMS processes:

Sources

Frequently asked questions

What are the three layers of threat intelligence?

Strategic intelligence covers broad trends and attacker motivations (e.g. rise of ransomware targeting healthcare). Tactical intelligence describes attacker methods, tools and procedures (TTPs). Operational intelligence provides specific indicators of compromise (IoCs) such as malicious IP addresses, file hashes or domain names that can be fed directly into security tools.

Do small organisations need a threat intelligence programme?

Yes, though the scope scales with the organisation. A small company can fulfil A.5.7 by systematically monitoring CERT advisories, vendor security bulletins and relevant news sources. A dedicated threat intelligence platform is useful for larger organisations but is not a prerequisite.

How does threat intelligence differ from vulnerability management?

Vulnerability management identifies weaknesses in the organisation's own systems. Threat intelligence focuses on external actors and their capabilities, intentions and methods. The two disciplines complement each other -- threat intelligence helps prioritise which vulnerabilities to patch first based on active exploitation in the wild.