feat(iso27001-gap): add threat intelligence to risk register evidence gates

[zeroknowledge0x]

Summary

Adds structured threat intelligence to risk register evidence gates to the ISO 27001 gap analysis skill, addressing the gaps identified in #2704.

Changes

New: Threat Intelligence to Risk Register Evidence Gates (A.5.7)

Added six-element evidence flow framework:

Element	Purpose
Intelligence Source	Documented source of threat intelligence
Relevance Decision	Documented assessment of whether intelligence applies
Risk Register Link	Traceable connection to risk register item
Treatment Owner	Named individual/role responsible for risk response
Residual Score Update	Risk score updated when threat landscape changes
Review Timestamp	When intelligence was reviewed and decision made

False Positive Guidance

Added explicit guidance that advisory-only feeds are valid when:

• Feed items are triaged in quarterly risk review workflow
• Relevance decisions are documented even if no register entry created
• Intelligence is assessed and determined not relevant

Missed Variant Detection

Added detection patterns for:

• "Sector-specific ransomware advisory affects a critical supplier, but no risk register item or treatment decision is created"
• "Threat feed severity changes from medium to critical, but risk register residual score and owner review stay unchanged"
• "Intelligence from 6+ months ago is still the basis for risk decisions without freshness review"

Edge Case Handling

Added validity criteria for:

• False-positive indicators
• Duplicate feeds
• Supplier-only exposure
• Regional advisories
• Expired intelligence windows

Remediation Quality Checklist

Added six-item checklist for threat intelligence improvement recommendations.

Testing

• Verified SKILL.md syntax and structure
• Confirmed all six evidence elements are documented
• Validated edge case tables render correctly
• Checked false positive guidance alignment with review feedback

Related Issues

Closes #2704

Checklist

• Changes are scoped to the reviewed skill
• False positive analysis addressed
• Coverage gaps filled with detection patterns
• Edge cases documented
• Remediation quality improved with structured checklist
• No new security issues introduced
• No functionality broken

[github-actions]

Thanks for the submission! 🙏 SecuritySkills is now issue-first: contributions need a linked issue that a maintainer has marked approved before a PR is opened.

Please open an issue describing the skill, wait for the approved label, then reopen this PR with Closes #<issue> in the description. The PR template lists everything we'll look for (including an independently runnable reproduction).