ISO 27002 and Threat Intelligence: The New Security Standard

Posted: 4th February 2022
ISO 27002 and Threat Intelligence: The New Security Standard

In recent years, there has been an increased interest in threat intelligence and increased adoption of threat intelligence by security teams around the globe. According to the 2021 SANS Cyber Threat Intelligence (CTI) Survey, “there is significant growth among organizations that have just started standing up CTI programs in recent years” and steady adoption from organizations that are further along their CTI journey as well. 

While this growth is due to many reasons, leveraging intelligence enables security teams to be more informed, make faster decisions, and be able to identify and take action on threats more reliably. Threat intelligence is a primary driver in making an organization go from being reactive to proactive and it also helps inform the overall security strategy from the CISO all the way down to the analyst. 

“In performing cyber intelligence, we collect, compare, analyze, and disseminate information about threats and threat actors seeking to disrupt the cyber ecosystem, one of our most critical assets. Through cyber intelligence, we know ourselves and our adversaries better. And with that knowledge, we can proactively take steps to better understand risks, protect against threats, and seize opportunities.”

Carnegie Mellon Cyber Intelligence Tradecraft Report

This increased focus on and adoption of threat intelligence makes it easy to understand why some certification and compliance programs are either adding in sections on threat intelligence or doubling down on the benefits for security teams to implement it. Most recently, we saw the addition of threat intelligence in the well-known and highly regarded information security standard, ISO 27002, which will be released in March 2022.

Let’s take a deeper look at what ISO 27002 is, why the addition of threat intelligence matters, and why you should care.

What are the ISO 27000 standards and where does ISO 27002 come in?

Before diving right in, it’s important to understand that ISO 27002 is part of the broader ISO 27000 series of standards published by the International Organization for Standardization (ISO). The ISO 27000 series provides requirements for an information security management system (ISMS) through a set of over a dozen standards. Using the standards enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details, or information entrusted by third parties.

ISO 27001 is the only global standard that helps organizations understand the various requirements of an information security management system (ISMS) and allows them to get their program ISO 27001 certified if all requirements are met. For reference, Recorded Future itself is ISO 27001 certified.

While ISO 27001 explains the requirements to have a certified ISMS, it relies heavily on ISO 27002. ISO 27002 goes deeper than the requirements and actually defines how the requirements and standards should be implemented by the organization. It also serves as a best practices guide for not just implementation but also how to best leverage the standards when they are put in place.

What’s up with the addition of threat intelligence to ISO 27002?

The recent update to ISO 27002 includes the addition of 11 brand new controls such as physical security monitoring, cloud security, web filtering, and… you guessed it! Threat intelligence.

The new ISO 27002 threat intelligence control is being implemented to help organizations collect and analyze “information relating to information security threats” with the overall purpose of “providing awareness of the threat environment that can impact the organization so that the organization can take appropriate mitigation actions”.

This control addition is incredibly important because it not only standardizes the need for threat intelligence but the intelligence being consumed will also help inform and enable the implementation of multiple other controls. For example the context and insights gained from consuming threat intelligence could inform cloud security strategies, identify vulnerabilities affecting supply chain partners, or even help detect and monitor physical and environmental threats.

To leverage threat intelligence properly, ISO recommends that organizations take into account all three layers of intelligence, strategic, tactical, and operational.

  • Strategic threat intelligence: exchange of high-level information about the changing threat landscape, e.g. types of attackers or types of attacks
  • Operational threat intelligence: information about attacker methodologies, tools and technologies involved
  • Tactical threat intelligence: details about specific attacks, including technical indicators

And arguably even more important, they mention that threat intelligence should be relevant, insightful, contextual, and actionable. All of these attributes are likely not something you will find from a free feed, list of indicators, or even a niche intelligence provider. When you start the process of evaluating intelligence providers, be sure to ask how their intelligence can provide all of these attributes and for examples of exactly how.

What are the benefits of the new threat intelligence control?

The primary purpose and goal of threat intelligence is to make security and risk teams across the organization more informed on the overall threat landscape, understand relevant threats earlier, and enable them to shift from a reactive security posture to a proactive one. To understand this a little deeper, here are some benefits that are gained by using intelligence across the three layers of intelligence:


  • Create a decision advantage by understanding the overall cyber and physical threat landscape, convergence of cyber and physical threats, threats and trends affecting your industry and peers, and relevant threats to your specific organization
  • Ability to make informed security architecture and budget decisions based on strategic priorities informed by intelligence
  • Creation and tracking of Priority Intelligence Requirements (PIRs) aligned to the organization’s security strategy and goals
  • Finished intelligence and ad-hoc tailored reporting to help decision-makers understand and prioritize risks and make better, more-informed decisions
  • Identification of emerging threats, TTPs, and threat groups of which the organization should be aware


  • Validated technical intelligence to understand specific attacks and the relationships between threat actors, indicators, and TTPs
  • Mapping threat intelligence to common frameworks like MITRE ATT&CK to classify behaviors, assess security gaps, and share intelligence with the cybersecurity community
  • Comprehensive intelligence from a diverse set of sources and languages to understand not just the technical details but all aspects of threats and emerging events


  • High fidelity Indicators of Compromise (IoC’s) integrated directly into security tools to enable analysts across all teams to have access to contextual intelligence in their established workflows
  • Ability to proactively hunt for indicators in your network using detection rulesets from hunting packages on threat actors and malware
  • Real-time insights into current and emerging threats to your and your peers

Ready to understand how to implement threat intelligence at your organization? Let Recorded Future help and show you how to get started. Request a demo today.