Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
organisational Detective Detect High Priority

A.5.7 Threat Intelligence

M365 Admin Path: Microsoft Sentinel > Threat intelligence

Evidence Source: Microsoft Sentinel

What is A.5.7 Threat Intelligence?

ISO 27001 control A.5.7 Threat Intelligence ensures the organisation collects, analyses, and responds to information security threats to produce actionable threat intelligence at strategic, tactical, and operational levels. Strategic intelligence informs risk management, tactical intelligence identifies TTPs and vulnerabilities, and operational intelligence provides Indicators of Compromise for immediate blocking. For Microsoft 365 environments, this is implemented through Microsoft Sentinel with TAXII data connectors and Microsoft Defender Threat Intelligence integration.

How to implement A.5.7 in Microsoft 365

Implement A.5.7 by enabling Microsoft Threat Intelligence feeds

Implement A.5.7 by enabling Microsoft Threat Intelligence feeds and TAXII data connectors in Microsoft Sentinel. Configure Sentinel analytics rules to query Defender Threat Analytics for high-exposure threats.

Monitor FortiGuard threat subscriptions including AV

Monitor FortiGuard threat subscriptions including AV, Web Filtering, and IPS across all managed FortiGate firewalls. Establish a Teams channel for automated security alerts and team acknowledgement.

Integrate tactical intelligence from MSTIC and FortiGuard Labs

Integrate tactical intelligence from MSTIC and FortiGuard Labs into Sentinel for automated correlation. Maintain a Threat Intelligence Register documenting validated strategic threats and risk updates. Cross-reference operational intelligence for immediate blocking in Defender for Endpoint and FortiGate.

What an auditor checks for A.5.7

  • Auditors will verify that Sentinel threat intelligence connectors are enabled and actively receiving feeds.
  • They will check that analytics rules for threat notification exist and are enabled.
  • Auditors will verify that FortiGuard subscriptions are active and current on all managed firewalls.
  • They will review the operational Teams channel for evidence of alert posting and team responses.
  • Auditors will examine the Threat Intelligence Register showing strategic threat assessments and risk actions.
  • They will verify that analytics rules are generating detections demonstrating automation effectiveness.

See how your organisation scores against A.5.7 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

Sentinel Baseline Connectors Endpoint

Microsoft Sentinel with baseline M365 data connectors, RBAC, threat analytics, and operational monitoring

Insider Risk Management Info Gov

Microsoft Purview Insider Risk Management

Custom Analytics Rules Info Gov

Custom Sentinel analytics rules for organisation-specific threats