GOV-018 Threat Intelligence Program
Description
The organization collects, analyses, and acts on threat intelligence relevant to its technology stack, industry, and geographic footprint. Intelligence outputs are shared with relevant internal stakeholders and used to update risk assessments and controls.
Rationale
A threat-informed security posture allows the organization to prioritize controls against adversary techniques that are actually active in its environment rather than maintaining an undifferentiated control set.
Framework Mappings (4)
| GRC-08 | Special Interest Groups | partial |
| 5.7 | Threat intelligence | full |
| PM-16 | Threat Awareness Program | full |
| CC3.4 | COSO Principle 9: Identifies and Analyzes Significant Change | partial |
Evidence (2)
Threat intelligence report or briefing documenting collected intelligence, analysis, and dissemination to relevant internal stakeholders.
Example: Monthly or quarterly threat intelligence report (internal Confluence report or PDF export from threat intel platform such as Recorded Future, MISP, or equivalent), showing: sources consumed, relevant threats identified, analysis, and distribution to named internal stakeholders.
Test: Request the last two threat intelligence reports. Verify: (1) reports are produced within the defined cadence, (2) at least two threat intelligence sources are referenced, (3) findings are analyzed for relevance to the organization's technology stack, (4) the report was distributed to named security, engineering, or risk stakeholders — confirm via email or meeting record.
Record showing threat intelligence outputs were used to update the risk assessment or triggered a control change.
Example: Risk register update record or Jira ticket (linked to a threat intel finding) showing: the threat identified, the date it was fed into the risk register or triggered a control review, and the named analyst who acted on it.
Test: Select a finding from a recent threat intelligence report. Trace it to the risk register or a change/control ticket. Verify: (1) the threat is recorded in the risk register or triggered a documented review, (2) an owner and date are recorded, (3) the response action (accept, mitigate, monitor) is documented.
Questions (2)
Does your organization have a defined threat intelligence program that collects, analyses, and disseminates threat intelligence to relevant internal stakeholders?
The program should produce documented intelligence outputs (reports or briefings) on a defined cadence, referencing at least two sources and showing distribution to security, engineering, or risk stakeholders.
How does your organization act on threat intelligence findings to update risk posture or controls?
A traceable link between an intelligence finding and a risk register entry or change ticket is the expected evidence — demonstrating closed-loop action.