ISO 27001:2022's New Threat Intelligence Control and How to Master It

ISO 27001:2022 introduced a brand-new mandatory control that most organisations are failing. Here's why — and how continuous cyber risk quantification solves it.

The Control Nobody Saw Coming

When ISO 27001:2022 landed, most security teams focused on the restructured Annex A controls they already knew. But buried in the update was something entirely new: Control 5.7 — Threat Intelligence.

For the first time, ISO 27001 explicitly requires organisations to establish a structured process for collecting, analysing, and acting upon cyber threat intelligence (CTI). Not as a nice-to-have. As a certifiable control.

With nearly 100,000 ISO 27001 certificates active worldwide — and 81% of organisations either certified or planning certification — this isn't a niche problem. It's an industry-wide compliance gap hiding in plain sight.

What the Auditor Actually Wants

Control 5.7 demands CTI at three levels:

Level	Audience	What's Required
Strategic	Board & executives	Threat landscape trends, emerging risks, geopolitical context
Tactical	Security teams	Attacker methodologies, TTPs, tooling evolution
Operational	SOC / incident response	Specific indicators, active campaigns, real-time alerts

But here's the part most teams miss: collecting threat feeds isn't enough. Auditors expect documented evidence that your organisation:

1. Analyses intelligence for relevance to your specific risk profile
2. Records decisions made as a result (patch priorities, control changes, risk register updates)
3. Integrates findings into your formal risk treatment process
4. Reviews and updates the process continuously

In other words, subscribing to a MITRE ATT&CK feed and filing it in SharePoint won't pass the audit. You need to demonstrate that threat intelligence changes how you manage risk.

Why Most Organisations Are Failing

The uncomfortable truth? Most CTI programs look like this:

• A SIEM ingests threat feeds → alerts pile up, nobody triages them against business risk
• A quarterly report summarises "top threats" → generic, not contextualised to the organisation's actual attack surface
• No link to risk management → the risk register lives in a spreadsheet, updated annually, disconnected from live threat data
• No documented analysis → when the auditor asks "show me how this intelligence informed a risk decision," the room goes quiet

The result: organisations pay for threat intelligence platforms, tick the box on "we have CTI," and then fail the audit on the analysis, action, and integration requirements.

This happens because traditional CTI tools were built to feed SOCs, not to inform risk management. They answer "what's happening out there?" but not "what does this mean for us, in dollars?"

The Missing Link: From Threat Intelligence to Financial Risk

Control 5.7 doesn't exist in isolation. It's designed to feed into Clause 6.1 — Risk Assessment and Clause 8.2 — Information Security Risk Assessment. The intent is clear: threat intelligence should continuously inform how you assess and treat risk.

This is where most organisations hit a wall. Their CTI is technical (IOCs, CVEs, TTPs). Their risk register is qualitative (Red/Amber/Green). There's no translation layer between "a new ransomware variant is targeting our sector" and "our financial exposure just increased by $2.3M."

What if the translation happened automatically?

How Continuous Cyber Risk Quantification Closes the Gap

A platform that combines real-time threat intelligence with financial risk quantification doesn't just help you pass the audit — it makes Control 5.7 operationally valuable.

1. Automated CTI Collection and Contextualisation

Lightweight agents deployed across your IT/OT environment continuously ingest:

• Network telemetry and configuration data
• Infrastructure-as-Code (Terraform, AWS CloudFormation, Azure ARM templates)
• MITRE ATT&CK mappings against your actual attack surface
• Third-party risk signals from your supply chain

This isn't generic threat feed aggregation. It's CTI contextualised to your environment — exactly what the auditor wants to see.

2. From Threats to Dollars: FAIR-Based Quantification

Using the FAIR (Factor Analysis of Information Risk) methodology and Monte Carlo simulation, threat intelligence is automatically translated into:

• Annual Loss Expectancy (ALE) — expected yearly loss from each threat scenario
• Value at Risk (VaR) — probabilistic worst-case exposure at the 95th percentile
• Attack path analysis — which threat vectors produce the highest financial impact given your specific control environment

When a new threat emerges, it doesn't just appear as an alert. It appears as a dollar-denominated change to your risk profile, linked directly to the assets and controls it affects.

3. Crowd Forecasting: The Human Intelligence Layer

Automated feeds miss context that humans touch. A crowd forecasting engine lets pen testers, CTI analysts, engineers, and even peer organisations contribute predictions on:

• Breach likelihood for specific scenarios
• Attack vector effectiveness against specific control configurations
• Emerging threat relevance to specific industry verticals

These predictions are aggregated using Bayesian methods into a consensus signal that continuously updates your VaR. Participants with better predictive accuracy (measured by Brier scores) carry more weight — creating a self-improving intelligence system.

This is the "expert consensus aggregation" that auditors dream of: documented, quantified, and continuously validated.

4. Audit-Ready Evidence, Automatically

Every intelligence input, every analysis, every risk decision is logged:

• Strategic reporting: board-ready dashboards showing how the threat landscape affects financial exposure — updated in real-time, not quarterly
• Tactical documentation: which TTPs are relevant to your environment, which controls mitigate them, and the residual risk in dollars
• Operational trail: every agent scan, every crowd forecast, every VaR update — timestamped and traceable

When the auditor asks "show me how threat intelligence informed a risk decision," you don't scramble for meeting minutes. You show them a living system.

The Compliance Wedge That Becomes a Strategic Asset

Here's what makes Control 5.7 interesting from a business perspective: it's the first ISO 27001 control that explicitly bridges cybersecurity and enterprise risk management.

Organisations that treat it as a checkbox will spend money on CTI tools and still struggle at audit time. Organisations that treat it as an opportunity will build a continuous risk quantification capability that:

• Satisfies the auditor with documented, analysable, actionable threat intelligence
• Informs the board with dollar-denominated risk reporting (not traffic-light heatmaps)
• Reduces insurance premiums by providing underwriters with quantified risk data
• Accelerates compliance with overlapping regulations (SOCI Act, SEC Cybersecurity Rules, DORA)

The same platform that passes your ISO 27001 audit also produces the financial risk disclosures your board needs and the quantified data your insurer is starting to demand.

The Bottom Line

Control 5.7 exposed a gap that's been hiding in cybersecurity for years: we're drowning in threat data but starving for risk insight.

The organisations that will thrive aren't the ones with the most threat feeds. They're the ones that can answer, in real-time and in dollars: "Given what we know about the threat landscape right now, how much could we lose — and what should we do about it?"

That's not a compliance exercise. That's a competitive advantage.