#iso27002/2022/EN
## 5.7 Threat intelligence

#### Control
Information relating to information security threats should be collected and analysed to produce threat intelligence.

#### Purpose
To provide awareness of the organization’s threat environment so that the appropriate mitigation actions can be taken.

#### Guidance
Information about existing or emerging threats is collected and analysed in order to:

a)  facilitate informed actions to prevent the threats from causing harm to the organization;
b)  reduce the impact of such threats.

Threat intelligence can be divided into three layers, which should all be considered:

a)  strategic threat intelligence: exchange of high-level information about the changing threat landscape (e.g. types of attackers or types of attacks);
b)  tactical threat intelligence: information about attacker methodologies, tools and technologies involved;
c)  operational threat intelligence: details about specific attacks, including technical indicators.

Threat intelligence should be:

a)  relevant (i.e. related to the protection of the organization);
b)  insightful (i.e. providing the organization with an accurate and detailed understanding of the threat landscape);
c)  contextual, to provide situational awareness (i.e. adding context to the information based on the time of events, where they occur, previous experiences and prevalence in similar organizations);
d)  actionable (i.e. the organization can act on information quickly and effectively).

Threat intelligence activities should include:

a)  establishing objectives for threat intelligence production;
b)  identifying, vetting and selecting internal and external information sources that are necessary and appropriate to provide information required for the production of threat intelligence;
c)  collecting information from selected sources, which can be internal and external;
d)  processing information collected to prepare it for analysis (e.g. by translating, formatting or corroborating information);
e)  analysing information to understand how it relates and is meaningful to the organization;
f)  communicating and sharing it to relevant individuals in a format that can be understood.

Threat intelligence should be analysed and later used:

a)  by implementing processes to include information gathered from threat intelligence sources into the organization’s information security risk management processes;
b)  as additional input to technical preventive and detective controls like firewalls, intrusion detection system, or anti malware solutions;
c)  as input to the information security test processes and techniques.

The organization should share threat intelligence with other organizations on a mutual basis in order to improve overall threat intelligence.

# Related:
- [Threat Intelligence](../../../../../🎇%20Sparks/Threat%20Intelligence.md)
- [[ISO_27002_PE 5.7 Threat intelligence]]