A.5.7 — Is threat intelligence collected, analysed and used to inform controls? (NEW in 2022)
Demonstrate that the organization systematically collects, analyzes, and operationalizes threat intelligence to proactively inform and adapt its security controls based on current and emerging threat landscapes.
Description
What this control does
This control requires organizations to establish and maintain a threat intelligence program that collects relevant security threat data from internal and external sources, analyzes this intelligence to identify applicable threats to the organization's context, and actively uses the findings to adjust security controls, risk assessments, and incident response capabilities. Threat intelligence sources may include industry-specific Information Sharing and Analysis Centers (ISACs), commercial threat feeds, open-source intelligence (OSINT), dark web monitoring, and internal telemetry from security tools. The process must be documented with clear roles, regular collection and analysis cycles, and a formal mechanism to translate threat intelligence findings into actionable control updates.
Control objective
What auditing this proves
Demonstrate that the organization systematically collects, analyzes, and operationalizes threat intelligence to proactively inform and adapt its security controls based on current and emerging threat landscapes.
Associated risks
Risks this control addresses
- Failure to detect emerging attack vectors and techniques actively used against similar organizations in the same sector
- Inability to prioritize vulnerability remediation based on actual threat actor exploitation trends rather than theoretical CVSS scores
- Deployment of security controls misaligned with the organization's actual threat profile, leading to inefficient resource allocation
- Delayed response to targeted campaigns or advanced persistent threats (APTs) specifically affecting the organization's industry
- Ineffective incident response due to lack of current threat actor tactics, techniques, and procedures (TTPs) knowledge
- Missed opportunities to implement preemptive defenses against known indicators of compromise (IOCs) circulating in threat intelligence communities
- Compromised security posture from outdated threat models that do not reflect current geopolitical, regulatory, or technological changes
Testing procedure
How an auditor verifies this control
- Obtain and review the documented threat intelligence program policy, including defined sources, collection frequency, analysis methodology, and dissemination procedures.
- Interview the threat intelligence lead or security team to identify all active threat intelligence sources (commercial feeds, ISACs, open-source, peer sharing arrangements) and verify subscriptions or memberships are current.
- Select a sample period (last 3-6 months) and request threat intelligence reports, briefings, or analysis documents produced during that timeframe.
- Trace three specific threat intelligence findings from the sample period to documented decisions: verify each finding was analyzed for applicability to the organization's environment and resulted in a recorded action or justification for no action.
- Review change management or security control update records to confirm at least two instances where threat intelligence directly informed control modifications, new implementations, or configuration changes.
- Examine risk assessment documentation to verify incorporation of current threat intelligence, including references to specific threat actors, campaigns, or vulnerabilities relevant to the organization's sector.
- Test operationalization by selecting three current indicators of compromise (IOCs) from recent intelligence feeds and verify whether they have been integrated into detection tools (SIEM rules, firewall blocks, EDR policies).
- Validate dissemination by confirming threat intelligence summaries are shared with relevant stakeholders (IT operations, incident response team, senior management) through documented communication channels or ticketing systems.