Skip to contentCYBERINFO
|

Control 5.7 : Threat Intelligence

Summary

This control requires the organization to collect and analyze information regarding information security threats. By maintaining awareness of the threat landscape, the organization can implement proactive measures to mitigate risks before they result in a compromise.

Applicability

In-Scope: Essential for moving from a reactive to a proactive security posture. This is highly applicable for organizations managing cloud infrastructure or sensitive data that are targeted by evolving cyber-attack techniques.

Out-of-Scope: Only potentially reducible for very small organizations with limited exposure, though basic threat awareness remains a requirement for any risk-based ISMS.

Implementation Guidance

Microsoft 365 / Entra ID

  • Data Collection: Enable Microsoft Sentinel to aggregate threat data from internal sources (Microsoft 365 logs) and external threat feeds.

  • Analysis: Utilize Microsoft Defender for Endpoint and Defender for Office 365 to automatically correlate local activity with global threat intelligence.

  • Operationalizing: Configure Security Playbooks in Sentinel to automate responses (e.g., blocking an IP address) based on high-confidence threat indicators.

Evidence Checklist

  • Threat Intelligence Records: Evidence of receiving and reviewing threat bulletins or feeds from reliable sources.

  • Risk Assessment Updates: Documentation showing that the internal risk register has been updated in response to new threat trends.

  • Technical Controls: Proof that threat indicators (IOCs) have been integrated into firewall, EDR, or email filtering rules.

Practical Audit Advice

Here are some questions the auditor might ask:

  • What specific sources (e.g., CISA, vendor bulletins, ISACs) does the organization use to gather tactical and strategic threat intelligence?

  • How is threat information communicated to relevant technical teams to ensure timely mitigation?

  • Can you demonstrate an instance where a change in your security configuration was driven by a specific threat intelligence report?

  • How do you evaluate the relevance and reliability of the threat data you receive to avoid alert fatigue?