---

---

Purpose of Threat Intelligence

Control 5.7 is one of the newer controls introduced in ISO 27001:2022. It requires you to collect and act on threat intelligence so that your view of risk stays current.

For smaller businesses without a dedicated security team or manager, the question isn’t whether to do this (you have to), but how to do it without paying for an enterprise threat feed you can’t justify.

This guide covers what the control actually wants, what constitutes good practice for a small business, and where to find free threat intelligence to help you.

The primary objectives of threat intelligence are to:

• Build awareness of the real-world threats that might apply to your business
• Obtain actionable insights that support proactively addressing any threats

You’ll notice a ‘Venn diagram’ overlap with other controls, such as 5.6 Contact with Special Interest Groups (a good source of threat intelligence), which we will look at. Few of the controls act in isolation, and 5.7 is no exception, but I want to stress that it’s not just about signing up for newsletters and forgetting about them; there are various layers we’ll look at.

---

Layers of Threat Intelligence

So, threat intelligence can be categorised into broadly three layers, each offering unique insights. This is independent of the source or channel through which they come, and more about the level at which they sit within the realm of security. If you read through, it’ll become clearer.

1. Strategic Threat Intelligence

These threats underpin global trends and directions shaping our security.

• A focus on broad trends and the overall threat landscape.
• Insights into attacker motivations, goals, and methods.
• Long-term security strategies.

For example, we are all affected by an increase in organised crime, with growing sophistication that we are trying to keep ahead of. There are state-sponsored attacks as well, so if you are part of a government or military supply chain, you may be considered a target.

AI is another good example of strategic threat intelligence; it’s something we are all running to keep up with, but frankly, it’s moving so fast that by the time you’ve evaluated the threat and written a policy, it’s already out of date.

2. Tactical Threat Intelligence

Here, we are starting to look at imminent threats and technologies a little more closely. Such as types of ransomware attacks and exploits. We would look for effective threat intelligence around things like;

• Information about attacker methodologies, tools, and technologies.
• Specific types of attacks for which you need to actively prepare accordingly.

I think this is the area that most people automatically think of when the term ‘threat intelligence’ is used – with people asking, what’s trending?

3. Operational Threat Intelligence

The final layer that organisations should be evaluating is the actual, here-and-now threats that have imminent impact potential on your systems and data. For example, a sudden new piece of malware that’s rampaging around the world, and if we know about it we can apply the counter-measures effectively.

So we would be looking for;

• Details around specific incidents and threats, including technical indicators and real-time insights from anti-malware and other providers.
• Includes actionable data on phishing campaigns, malware signatures, and other imminent risks.

If there’s an immediate vulnerability, then we need to know how to patch it quickly.

---

How to Implement Good Threat Intelligence

I’ve just outlined how threat intelligence comes in many levels, but building a threat intelligence framework involves several key activities:

1. Define what you need to know

I advise against just signing up for a load of internet lists and thinking you are done here. Work out clear goals for producing and applying threat intelligence that align with your organisational needs. So, take the layers I covered above, and ask yourself, ‘What do I need in this area?’ And the answer will vary depending on the nature of your organisation and the data it handles.

Look at your technology stack. If you, for example, are an AWS user, you’ll want to lean into that rather than Azure, etc.

Consider if you are obligated to regulatory requirements. GDPR is the obvious one, but there may be others, so there might be specific intelligence in those areas you want to keep on top of.

Finally, consider what makes you hot under the collar. After all, this is all about risk and trying to identify things before they happen, so if you are feeling vulnerable to ransomware, lean into that area.

The answers shape which sources are worth your time. Without this step, threat intelligence becomes “read everything”, and that means reading nothing, and it gets filed in your junk folder.

2. Identifying a few good sources of information

Select just five or so sources of high-quality threat intelligence data, such as industry forums, collaborative groups, and government advisories, etc.

I’ll give you a list of sources in a moment, but there are three categories you should consider;

• National-level baseline: NCSC Weekly Threat Report. This is really non-negotiable for any UK business. It’s free, government-quality, and covers the threats that matter to most businesses.
  
• Sector or stack-specific: Vendor security advisories for your main tech stack (Microsoft, AWS, your main SaaS providers), plus a sector source if relevant.
  
• Peer-level practitioner discussion: CiSP, a sector ISAC if you’re regulated, or even an active practitioner Slack or LinkedIn group.

Don’t go crazy. A few things well monitored are better than twenty things barely considered.

3. Build the habit

Now, the trick here is to set aside time to actually read the above. It can be easier said than done, but if you proactively book some time in your diary, or it’s the first thing you do each Monday morning with your start-of-week coffee.

You don’t have to read everything. Start with the headlines, then move down if it resonates.

4. Capture into a log

Run a spreadsheet or something to capture any key findings you come across, so you don’t forget them and can find them later when you need to share the information or address it. But, if something does catch your attention, ensure it translates into an action that is recorded somewhere (who, what, when).

Risk assessments come through many channels, so if you identify something in your research which concerns you, capture it into the risk log, but make sure the source is identified. This way, the action gets prioritised alongside everything else, but you also track the source, so you know (and can evidence) that the process is working.

5. Share the responsibility

If you are a slightly larger team (e.g., you have a Dev lead and a Head of Infrastructure), you can share responsibilities to lighten the load a bit. You can even make it a standing agenda item on any meetings you might have, whereby you have a bit of a risk assessment and information exchange.

What this looks like in practice for a smaller company

Concretely, for a typical client, I’d advise:

• Subscribe to a few sites, such as the NCSC Weekly Threat Report, AWS Security Bulletins, and the Microsoft 365 Message Centre, and join the CiSP membership. Follow Bleeping Computer for general awareness.
• Time box commitment to 30 minutes every Tuesday morning by the InfoSec lead (often the CTO or Head of Operations in this size of company).
• Log things in a Google Sheet in the ISMS folder. One row per item reviewed, even if the action is “no relevance”.
• Cross-check the risk register against the threat intelligence log from the past quarter. Update risks as the threat landscape shifts.
• Report it. Even a three-bullet email to the MD and senior team monthly or as part of your standard security review and update. Brief verbal update at the quarterly management review.

---

Free Threat Intelligence Sources

Here’s a non-definitive list shaped around UK sources primarily, but not entirely of threat sources that you can sign up to.

Source	What it provides	Best for	Cost	Frequency
NCSC Weekly Threat Report	UK government weekly summary of major threats and advisories.	Strategic and tactical intelligence; ideal SME baseline	Free	Weekly
NCSC Alerts and Advisories	Targeted alerts on specific vulnerabilities and active threats	Tactical and operational; act when issued	Free	As needed
CiSP (NCSC Cyber Information Sharing Partnership)	Government-backed peer threat intelligence platform	Tactical intelligence; UK-specific peer insights	Free (registration required)	Continuous
SANS Internet Storm Centre	Daily handler diaries and threat trend analysis	Tactical and operational; good for technical SMEs	Free	Daily
CISA Known Exploited Vulnerabilities Catalog	The US authoritative list of vulnerabilities being actively exploited	Tactical: cross-reference against your patching	Free	Updated as needed
Sector-specific advisories (e.g. FS-ISAC, H-ISAC bulletins)	Industry-specific threat intelligence	Strategic and tactical for regulated SMEs	Mostly paid (some free summaries)	Weekly/monthly
Vendor security advisories (Microsoft, Cisco, your specific stack)	Vendor-specific vulnerability and patch information	Operational; tied to your tech stack	Free	Continuous
MITRE ATT&CK framework	Catalogue of adversary tactics and techniques	Reference for understanding TTPs	Free	Reference resource
Regional Cyber Resilience Centres	Police-led regional UK guidance and alerts	Strategic and tactical for SMEs	Free	Periodic
Threat intelligence newsletters (Krebs on Security, Bleeping Computer, The Record)	Curated daily/weekly threat news	Strategic awareness for non-technical leads	Free	Daily/weekly

Note: You don’t need all ten. Pick three or four that match your sector and stack, set up an email rule to surface them in a folder you’ll actually open, and make analysing them part of someone’s weekly task list.

---

What Auditors Look For

It’s not a heavy control, so don’t overcomplicate the evidence. But when the auditor asks how you do threat intelligence, you want six things ready:

1. A source list with a short justification for each entry. Why this source, why for your business? “We read security newsletters” doesn’t pass; “NCSC for UK baseline, AWS bulletins for our stack, CiSP for peer signal” does.
2. A log with dated entries covering the last few months. Auditors look at dates. If your most recent entry is from when you first set the spreadsheet up, you’ve got a problem.
3. At least one example of threat intelligence driving a concrete action. A patch prioritised, a control tweaked, a risk register entry added, with the original source identifiable. This is the one that separates passing from a nonconformity.
4. The topic appears in management review minutes. Not as a tick-box item, as a discussion with an outcome. This is where Clause 9.3 and Control 5.7 join up.
5. A named owner. Even if it’s “the CTO does this on Tuesday mornings”, someone has to be accountable. “Everyone keeps an eye on it” fails immediately.
6. A defined review cadence in your ISMS documentation. “Weekly” works. “Continuous” works if backed by automation. “Ad hoc” usually invites a finding.

It’s not a heavy control, so I wouldn’t overcomplicate it. Done well, this whole control runs on about an hour a week, max

---

What to avoid

A few common mistakes I have occasionally seen in organisations trying to over-engineer this:

Don’t pay for a commercial feed unless you have a specific reason to. There are loads of excellent feeds out there but they’re priced for enterprises with security teams who can process the volume. An SME paying £15,000 a year for a feed they don’t have the bandwidth to consume is wasting money. NCSC plus your vendor advisories will cover 90% of what you actually need.

Don’t try to build “threat hunting”. Threat hunting is a mature discipline that requires tooling, telemetry, and analyst time. If your business has the capability to do it, you wouldn’t be reading this article. For everyone else, “monitor your endpoints with a decent EDR product and respond to alerts” is good enough.

Don’t conflate threat intelligence with monitoring. They’re different controls (5.7 vs 8.16). Threat intelligence is “what’s happening in the wider world that might affect us”; monitoring is “what’s happening inside our environment”. Both matter; they’re not the same. Auditors will check the distinction.

---

Common Issues I Find During Internal Audits

5.7 is one of those controls that’s pretty easy to meet, and pretty easy to mess up if you don’t formally record the outputs. With that in mind, here are a few things I see that trip people up;

It’s an easy control to gloss over and not ask about too deeply, and not too long ago I was performing an internal audit for a UK-based technology company. They were really hot on their technical controls, but had poor evidence to demonstrate all the things happening around the technical side of things, and this was one of them. When I asked, they said “yeah, I keep an eye on news and events” But when I pushed that little bit further and asked to see something (an email, bookmarked page, something) he drew a blank and couldn’t show me. That experience is easily avoided if you just make sure you have something to show, and then evidence the link back to risks/ actions that you took as a result.

---

How does ISO 27001 Control 5.7 link to other clauses and controls

As I mentioned earlier, there’s a lot of overlap and support between this control and others. They include;

• Clause 6.1 – Risk assessment (the upstream control that 5.7 feeds)
• Control 5.6 – Special interest groups (the channel)
• Control 8.8 – Technical vulnerabilities (tactical intelligence feeds here)
• Control 8.16 – Monitoring activities (where you act on operational intelligence)
• Control 5.25 – Assessment of security events (decision-making support)
• Clause 9.3 – Management Review (strategic intelligence reporting upward)

---

FAQs

---

Conclusion

Threat intelligence is one of the easier controls to meet. The enterprise framing around the topic (SIEM platforms, paid feeds, threat hunting, analyst teams) creates the impression that you need significant investment to satisfy the control. You don’t. Join some feeds, make some notes, take some actions. Done.

For most SMEs, threat intelligence is a 30-minute weekly habit. Pick three or four credible free sources, build a simple log of what you reviewed and what you did about it, connect the output to your risk register, and share the highlights with leadership monthly. That’s enough to satisfy the control and, more importantly, to make the business genuinely more aware of the threats that affect it.

The auditors I’ve worked with are noticeably more impressed by a small business doing this pragmatically than by an over-engineered process that nobody actually maintains. Keep it light, keep it deliberate, and keep the evidence as you go.

If you’d like a ready-made threat intelligence log template alongside the wider risk management documents, the Iseo Blue ISO 27001 Toolkit includes both. Or if you’d rather talk through which sources are most relevant to your sector and stack, the free 30-minute consultation is genuinely free and genuinely 30 minutes.

---