We often say that ISO27001 is all about risk management. Indeed, it’s actually a ‘risk based’ management system. We discuss Risk Management elsewhere, but for this control it’s important to remember what risk actually is.
Risks are threats that exploit a vulnerability. This is why this new control is so important, because it emphasises the need to develop threat intelligence.
What does the standard require?
The standard states that “Information relating to information security threats shall be collected and analysed to produce threat intelligence.” (A5.7 Threat Intelligence)
There is a need to collect AND analyse information that will help you understand where your risks actually exist.
Why is this required?
As stated above, you can’t understand risks if you don’t understand both where you are vulnerable (i.e. where you are weakest) and what (or who) might do you harm (the threat).
It’s important because without understanding where the threat is coming from, you can’t truly be in control of your risks. A good analogy here is if you were travelling to the South Pole, the biggest threat you might expect is the weather, but are there other threats too, such as polar bears!? You might term these as risks, but in truth they are threats which you need to understand and assess how vulnerable you are to them. From there, you would decide on suitable ‘controls’ (e.g. clothing, heated tents, a gun(!)).
Without threat intelligence you might prepare for polar bear attacks… but polar bears don’t live in the South pole (they live in the North Pole!) so you’d be preparing for a threat that doesn’t exist!
This is why Threat Intelligence is so important. It helps you to prepare for the REAL risks you might face.
What the auditor is looking for
This new control places further emphasis on you and your organisation to collect information from a variety of sources and then analyse this information to see if it is relevant to you.
You should break down your threat intelligence strategy to three different layers;
· Strategic
· Tactical
· Operational
Strategic threats
These are threats to your organisation, such as geo-political, political, environmental (ie. Climate change) and financial. How will you know if a war or natural disaster that occurs in a distant land will impact you? Have you considered this?
Tactical Threats
What tactics are Hackers and cyberscammers using? We know these are evolving, but how does this affect you? Are they now targeting mobile devices? Apple products? Linux platforms? Are they changing tactics and using ‘Qhishing’ (using QR phishing technics) rather than standard phishing attacks? How would you know?
Operational Threats
Are you seeing increases in attacks on your firewalls? Are you seeing more errors and data breaches in one function, rather than another? How would you know?
The auditor is looking for evidence that you are considering threats from all three levels. Your threat intelligence should be;
· Relevant & Contextual – in the context of your organisation and sector
· Insightful & Actionable – to allow your organisation to make decisions
The auditor is looking for evidence of a multi-layered approach (one might call it ‘strategic’) to threat intelligence. Although it is not mandatory, we would advise you to write a ‘Threat Intelligence Strategy’ document (in Word) that will outline your approach to this important control.
As before in A5.6 (Contact with Special Interest Groups), you should create a simple spreadsheet that allows you to capture strategic, tactical and operational intelligence. You should add where this information comes from and who is the owner of that source of information.
You should also add ‘Threat Intelligence’ to your Management Review Team meeting agenda, to ensure that you are discussing Threat Intelligence in an open forum.
Q & A
Is this a mandatory control?
No control is truly ‘mandatory’, but it would be very difficult to explain why this control is ‘not applicable’ to your organisation.
All organisations face threats, and therefore having an approach to collect and analyse threat intelligence is applicable to you.
Is it possible to get this wrong?
Only if you ignore the control! You can also get it wrong by only focusing on operational threats. You need to consider the three levels of threats. We have also seen people try to collect too much information, which isn’t relevant or contextual for their organisation.
As always, start simple… your ‘Special Interest Groups’ will offer Strategic threat intelligence, so start there and develop your approach appropriately.
Difficulty rating
We rate this a 2 out of 5 difficulty rating. This means that it requires a little technical skill to understand the requirement. You’re going to have to speak to various parts of the organisations, including IT to know what is possible. This is especially true for operational threat intelligence.
More questions?
Just remember that nothing in ISO27001 sits in isolation, so you should review our FAQs to gain answers to other aspects of the standard, but if you’re still confused by how to implement n RBAC process or identify the key roles in your organisation, just get in touch and we’ll be happy to help.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.
תגובות