ISO 27001 and Threat Intelligence
May 10, 2024
ISO 27001 is an international standard that provides guidelines for establishing, implementing, maintaining, and continually improving an information security management system – ISMS.
One of the key aspects of ISO 27001 is Annex A, which outlines a set of controls to address various information security risks. In the 2022 revision of ISO 27001, Annex A introduced Control 5.7: Threat Intelligence.
What Is Threat Intelligence?
Threat intelligence involves the collection, analysis, and contextualisation of information regarding existing or emerging threats that could impact an organisation. The goal is to provide organisations with a deeper understanding of cyber threats, enabling them to take informed actions for threat prevention or mitigation. Here are some key points about threat intelligence:
- Understanding Cyber Threat Landscape and adversaries playbooks: Strategic and Operational TI helps organisations identify the mindset and possible plans of attackers, tactics, techniques, and procedures (TTPs) that they use to achieve their goals (like entry into networks or compromise their targets, steal the data, etc). By understanding the anatomy of threats and their trends, organisations can better defend against specific attacks.
- TI Data Analysis, Contextualisation and Attribution: Tactical and Technical TI informs organisations about how hackers might attack them, sheds light on the instruments and exact resources attackers use and how can they be detected (Indicators of compromise). Gives the available context for each indicator of compromise and it’s attribution to the specific adversary. This knowledge helps organisations detect and mitigate attacks, understand the potential impact of a breach and take appropriate measures.
- Multiple TI sources: Valuable TI data can be gathered from multiple types of sources, it could be community-based sources, like social networks and repositories, where data published by individual experts or groups of experts. Lot’s of TI data provided by specialised TI companies laboratories like Intel 471, Recorded Future, Flashpoint, RST Cloud, and others.
ISO 27001 Annex A Control 5.7: Threat Intelligence
ISO 27001:2022 Annex A Control 5.7 aims to equip organisations with insights into both existing and emerging threats. Its objective is to guarantee that organisations understand their threat landscape, enabling them to establish mechanisms for collecting and analysing these threats. This enables them to determine appropriate actions to safeguard their information security.
One of the new key controls recommended by the Standard (ISO 27001:2022 Annex A control 5.7) is the utilisation of threat intelligence to assess your threat landscape, identify emerging threats and vulnerabilities, and potential attack vectors. The standard mandates that organisations regularly review and update their risk assessments based on the latest threat intelligence.
This works through:
- Collect and Analyse Multiple Threat Data: Organisations must collect and analyse information related to information security threats from multiple sources. This includes monitoring threat feeds, analysing attack patterns, and staying informed about the latest vulnerabilities.
- Prioritise and Identify Applicable Threats: Based on the collected data, organisations identify which threats apply to their specific context. Not all threats are relevant to every organisation, so this step ensures a targeted approach.
- Develop Appropriate Defences: Once the threats are identified, organisations develop appropriate defences. These may include implementing technical controls, updating policies, and enhancing incident response procedures.
- Maintain Security Posture: Annex A Control 5.7 helps organisations maintain an appropriate security posture by ensuring they understand their threat landscape. This understanding allows them to respond effectively to adverse events.
CTI Lifecycle and KPI
By implementing an ongoing Cyber Threat Intelligence (CTI) process – Cyber Threat Intelligence Lifecycle – organisations can ensure the regularity and thoroughness of their threat analysis. This approach also leads to an improvement in the quality of data and enables quality control through feedback from TI data consumers. Possible Key Performance Indicators (KPIs) for CTI could include the Strategic Alignment Index (SAI), Data Source Coverage Rate, False Positive Rate, Actionable Intelligence Ratio, IoC Detection Rate, Threat Coverage and Attribution, ROI of CTI and the level of stakeholder satisfaction with the provided intelligence.
Conclusions
Threat intelligence is a critical component of information security. By proactively collecting and analysing threat data, organisations can better protect their assets, respond to incidents, and minimise the impact of cyber threats. ISO 27001 Annex A Control 5.7 provides a framework for achieving this goal.
Remember that threat intelligence is an ongoing process. Organisations should continuously monitor their threat environment, adapt their defences, and stay informed about emerging risks.
If you have any further questions or specific threat intelligence needs, feel free to Contact Us!