If you have been keeping an eye on the world of information security, you likely know that ISO 27001 underwent a significant facelift recently. One of the most talked-about additions is Annex A 5.7, which focuses on Threat Intelligence. But if you are coming from the 2013 version of the standard, you might be wondering: what exactly changed? Where did this come from, and how do you implement it?
The short answer is that while the 2013 version touched on awareness, it didn’t have a dedicated control for threat intelligence. The 2022 update changed all that, reflecting the modern reality that being reactive simply isn’t enough anymore. Let’s break down the shift and what it means for your organisation.
Table of contents
The Evolution from 2013 to 2022
In the ISO 27001:2013 standard, there was no direct equivalent to Annex A 5.7. Back then, security was often more about building high walls and making sure the gates were locked. While “Contact with Special Interest Groups” (formerly A.6.1.4) and “Information Security Awareness” (formerly A.7.2.2) existed, they didn’t require the structured collection and analysis of specific threat data.
The 2022 version introduces Annex A 5.7 as a brand-new organisational control. It isn’t just an update of an old rule; it is a completely new requirement designed to make organisations more proactive. According to Hightable.io, the introduction of this control recognises that to protect your assets effectively, you need to understand the motives, tools, and methods of the people trying to attack you.
What is ISO 27001:2022 Annex A 5.7?
The essence of Annex A 5.7 is the requirement to collect and analyse information about information security threats. The goal is to gain “intelligence” so that the organisation can take appropriate action to mitigate risks. This isn’t just about reading the news; it’s about a structured process of gathering data to inform your security decisions.
This intelligence is typically broken down into three levels:
- Strategic: High-level information about the changing threat landscape, such as types of attackers or industry-wide trends.
- Tactical: Information about the methodologies, tools, and tactics (TTPs) that attackers are using.
- Operational: Specific details about technical attacks, such as IoCs (Indicators of Compromise), IP addresses, or malware signatures.
Why the Change Was Necessary
The gap between 2013 and 2022 saw a massive spike in sophisticated cybercrime, state-sponsored attacks, and automated hacking tools. ISO realised that organisations could no longer sit back and wait for an incident to happen. By adding Annex A 5.7, the standard now requires you to look outward.
By implementing threat intelligence, you move from a “prevent and detect” mindset to a “predict and respond” mindset. It allows you to update your firewall rules, patch specific vulnerabilities, and train your staff on the exact types of phishing scams currently targeting your industry before they even hit your inbox.
How to Implement Annex A 5.7
Transitioning to the 2022 version means you need to establish a process for threat intelligence. You don’t necessarily need a massive team of analysts, but you do need a repeatable workflow. Hightable.io suggests that the process should involve several key stages: collection, processing, analysis, and communication.
First, identify your sources. These could be government alerts, industry forums, commercial threat feeds, or even open-source intelligence. Once you have the data, you need to process it to ensure it is relevant to your specific business. There is no point in worrying about Mac-based malware if your entire company runs on Windows.
Finally, the most important step is acting on that intelligence. This might mean updating your risk assessment, changing a configuration, or alerting your incident response team. If the information doesn’t lead to an action, it isn’t really intelligence—it’s just noise.
Documentation and Compliance
As with anything ISO-related, if it isn’t documented, it didn’t happen. To satisfy an auditor for Annex A 5.7, you will need to show evidence of your threat intelligence activities. This could include a Threat Intelligence Policy, records of meetings where threat data was discussed, or logs showing how technical controls were updated in response to a specific threat.
The move from the 2013 version to the 2022 version is a clear sign that the “standard” for security is rising. While Annex A 5.7 might feel like an extra burden at first, it is actually one of the most practical tools in the 2022 toolkit for keeping your organisation safe in an increasingly hostile digital world.