When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.
The new version of the ISO27002 information security controls standard was published in February 2022 and will be incorporated into the ISO27001 requirements standard during the year as a replacement Annex A. The new set contains eleven controls that we haven’t seen before and in this series of blogs we’re looking at some of these in turn to understand what they are about and what an auditor might expect to see in future. In this blog, we’re examining the subject of threat intelligence.
Basically this is about understanding more about the people and groups out there who might wish your organization harm, and the ways in which they might achieve it. You can see how this would be useful, both in terms of assessing risk and in making sure that controls are as effective as they can be. Threat intelligence is often approached at three levels, strategic, tactical and operational.
An understanding of the general direction of travel of threats can help in deciding how the organization needs to change in order to stay as safe as possible over the longer term. So trends in how threats are evolving on a year by year basis can be helpful; is the threat from North Korea growing or declining; are ransomware attacks increasing or becoming more sophisticated, or both? The best sources of information at this level are often annual reports issued by government agencies such as the UK National Cyber Security Centre or the EU’s ENISA, and commercial vendors with a good reputation in the cybersecurity marketplace, such as Mandiant or Sophos.
At the next level down we’re concerned with specific attackers or types of attackers and the tactics, techniques, and procedures (TTPs) that they are currently using to gain access to systems or otherwise pose a threat to our organization. Whilst we may not be dealing with a current attack, we need to know who is active and what their current methods of ingress are, as well as what kind of organization is their victim of choice at the moment. Knowing this information allows us to address any shortcomings in our defences, such as patching systems that are used as a way in.
At the lowest level we may be dealing with information about attacks that are ongoing, with victim organizations providing helpful information about what to look for to determine whether you too have been compromised (termed “indicators of compromise”). Of course, our organization itself may be the latest victim, in which case threat intelligence will work hand in hand with incident management to find out anything that will be of help in dealing with the incident.
In order to satisfy the needs at each level, information may be gained from many different sources. At the strategic level it is often annual “state of the nation” reports and presentations at conferences that provide the general lowdown on what is happening out there in cyberspace. As we become more specific, feeds such as blogs and newsletters are a good source of timely information and at the operational end of the spectrum, memberships of information sharing partnerships and urgent alerts put out by agencies are a help, as well as information from your own systems such as security information and event management (SIEM). Sharing of information is generally seen to be a good thing, so it’s important to play your part is spreading the word when you become aware of an active threat.
In basic terms, the new control in ISO27002 (and soon to be ISO27001 Annex A) requires simply that “information relating to information security threats should be collected and analysed to produce threat intelligence”. But what would this look like in real terms, and what would an auditor expect to see?
Well, our first suggestion is that you should have a policy that sets out your general approach to threat intelligence, probably along the lines of the strategic/tactical/operational layer model. Following that up with a process document that explains how threat intelligence is planned, collected, analysed and communicated would be a good idea, possibly supported by more specific procedures in key areas. An auditor will want to see evidence of the production of threat intelligence, so a collection of relevant reports (both external and internally-produced ones) will be useful, along with examples of how the intelligence has been used to identify actions such as strengthening controls, applying patches and enhancing user awareness.
There’s a strong connection here with risk assessment and treatment and continual improvement, to name but two areas of the management system, so being able to show those links would be beneficial at audit time.
This control is very likely to be applicable to your organization (as listed in your statement of applicability) and it needn’t be a difficult control to implement. Having a basic method of collecting information on threats and turning it into a set of actions that you can take to reduce risk should meet the need. Threat intelligence is a fascinating topic so you may find yourself wanting to learn more about what’s going on out there.
As they say, knowledge is power!
Written by Ken Holmes CISSP, CIPP/E. Ken is an ISO27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry.
CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.
For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.