Countdown to October 2025
As the cybersecurity landscape continues to evolve and become more complex, international regulations are similarly following suit to keep pace and set a benchmark to mitigate developing threats. Since 2005, ISO 27001 has set the standard for information security management systems (ISMS), designed to help organizations build resilience to cyberattacks, preparedness for new threats, and maintain data confidentiality, integrity, and availability. Compliance with ISO 27001 is incredibly important, as it demonstrates to third parties – whether they are customers, partners, or investors – that an organization has systems in place to manage risks related to data security.
ISO 27001:2022 is the latest update to the 2013 standard, and organizations have now been set a deadline to comply with the new requirements by the end of October 2025. While that may seem like a long time away, it really isn’t when you consider all the work that goes into the process of compliance: introducing additional controls, introducing new policies and procedures to document how you fulfill those controls, and having enough time to evidence that you have met the controls.
October 2025 will be around the corner before you know it, and while avoiding the regulatory risks of non-compliance is a strong motivator to make these changes now, going beyond basic compliance will be key to building resilience against emerging threats and preventing attacks before they happen.
The biggest changes in ISO 27001:2022
There are several changes in the 2022 update of the ISO 27001 standard. This includes some reformatting of controls that were already required in the 2013 version, but there are also some completely new thematic areas that organizations will now need to demonstrate their compliance against.
These additional requirements include (but are not limited to) data leak prevention, web filtering, business continuity of ICT systems, physical security monitoring, management of configuration changes, secure coding, and threat intelligence.
The threat intelligence requirement, which I’ll focus on here (Annex A, Control 5.7), may be a completely new area for some organizations that don’t already have processes in place to collect and analyze information about threats, so is worth paying specific attention to.
What is meant by threat intelligence in the ISO 27001:2022 standard?
The ISO 27001:2022 standard has very particular wording around the threat intelligence requirements: organizations have to be able to demonstrate a process for “collecting” and “analyzing” threat intelligence.
This means that the organization must understand:
- Which threat actors could target their organization.
- The threat models they need to apply to their systems.
- The vulnerabilities that exist in their systems.
- The exploits that exist and could be used against those vulnerabilities.
Organizations need to demonstrate that they collect information associated with each of these points and that the organization is able to analyze that intelligence, building it into threat assessments.
How can you gather threat intelligence?
Gathering robust and accurate threat intelligence will always require some form of software, and the software an organization will need to gather the necessary information about threats falls into two categories:
- Software that enables them to gather intelligence on threat actors – to facilitate understanding of who the business’s adversaries are, what they are doing, their motivations, and their capabilities.
- Software that gives them visibility into the threats within their IT estate – to identify the vulnerabilities that exist and could be potentially exploited by the threat actors they have identified.
Ideally, an organization will have software that combines these two elements – that can map all of the IT real estate, associate it with the vulnerabilities that exist, knowledge about how it could be exploited, and intelligence on the threat actors who could attempt to exploit those vulnerabilities.
One of the challenges of compliance is ensuring all of the policies, processes, and procedures are well documented and – critically – that the organization can evidence them. This is where a robust threat intelligence platform can have a great impact.
Organizations should look for a threat intelligence platform that meets both the “collection” and “analysis” stipulations, ideally in an automated manner – continuously gathering threat intelligence, analyzing it, and presenting it to the end user in a non-technical format that makes it easy to make accurate and timely risk-based decisions. Threat intelligence can be a labor-intensive job, particularly with the sheer number and variety of threats that even a mid-sized organization may face, so taking advantage of automated features will be invaluable to your cybersecurity team.
These tools will allow you to demonstrate that you are able to quickly identify threats that could impact your business. For example, using a platform that can identify any staff credentials that are being sold or leaked, will evidence that you have the visibility needed to quickly take mitigative action against that risk.
It’s also vital to show that you have full visibility of your IT infrastructure, all of the vulnerabilities that exist, and the known exploits that exist for those vulnerabilities. This enables you to take (and demonstrate) a risk-based approach to remediation.
Going beyond compliance
It is worth emphasizing that passing an audit should never be the end goal of implementing new security controls such as threat intelligence. Standards like ISO 27001:2022 provide a helpful framework and are important for ensuring a minimum level of security. However, all organizations should strive to implement controls that go beyond the “minimum” and truly have an impact in protecting their organization’s infrastructure, data, employees, customers, and partners. Meeting the new ISO requirements for threat intelligence is a great first step, and 2025 will come around faster than you think, so organizations should be starting now if they haven’t already. Putting the necessary platforms in place to give you visibility and understanding of the threats your organization faces will be one of the most impactful steps you can take on your security journey.
About the Author
Dr Nick Savage has over 25 years of experience in cybersecurity and is currently the Head of Infrastructure, Security and Compliance at Searchlight Cyber. Nick is responsible for Searchlight’s governance and compliance and this involves maintaining Searchlight’s Information Security Management System. At Searchlight, Nick ensures that their systems and processes are compliant with the UK’s Cyber Essentials scheme, ISO 27001: 2022 and the Common Criteria in SOC 2.
Prior to joining Searchlight, Nick was the Head of the School of Computing at the University of Portsmouth, where he led a team of approximately 100 staff and researchers and participated in large UK and EU cyber security projects such as Foresight and CyberTrust. As a part of this, Nick was recognized for his contributions to cybersecurity by a special award from IBM. Between 2016 and 2021 Nick was a member (eventually vice-chair) of the Council of Professors and Heads of Computing in the United Kingdom and worked with the UK Office of Cyber Security and Information Assurance in the Cabinet Office to embed cybersecurity into the curriculum of computer science degrees. Nick has also been a speaker for the UK’s NCSC CyberFirst program, a keynote speaker for various international conferences and for industry events run by ESET and Accenture. Nick was a member of the DG CONNECT Working Group developing the EU Directive 2016/1148 on the NIS Platform. Nick has been an academic advisor to the UK’s Commonwealth Scholarship Commission and an Academic Advocate for ISACA; reviewing CISA, CISM and CoBIT 4.0. Nick is a Fellow of the BCS, The Chartered Institute for IT and a Chartered Engineer (CEng). Find out more at https://www.slcyber.io/
