In this ultimate how to audit guide to ISO 27001 Annex A 8.6 Capacity Management, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Annex A 8.6 Capacity Management Audit Checklist
- 1. Capacity Requirements Baseline Verified
- 2. Real-Time Resource Monitoring Confirmed
- 3. Capacity Threshold Alerting Validation
- 4. Cloud Auto-Scaling Policies Validated
- 5. Capacity Trend Analysis Records Identified
- 6. Network Bandwidth Sufficiency Confirmed
- 7. Physical Facility Capacity Verification (On-Premise)
- 8. Data Storage Lifecycle and Purging Validated
- 9. Capacity Incident Linkage Verified
- 10. Management Review of Capacity Strategy Recorded
ISO 27001 Annex A 8.6 Capacity Management Audit Checklist
Auditing ISO 27001 Annex A 8.6 Capacity Management is a technical verification process that ensures information processing resources are proactively monitored and scaled. The Primary Implementation Requirement is the establishment of resource thresholds and alerting, providing the Business Benefit of guaranteed system availability and prevention of performance-related security incidents.
This technical verification tool is designed for lead auditors to establish the continuous availability and performance of information processing facilities. Use this checklist to validate compliance with ISO 27001 Annex A 8.6.
1. Capacity Requirements Baseline Verified
Verification Criteria: Documented performance baselines and future capacity requirements exist for all critical information systems and infrastructure.
Required Evidence: Capacity Plan or System Design documents specifying CPU, RAM, storage, and network bandwidth thresholds.
Pass/Fail Test: If the organisation cannot produce defined capacity limits for production environments, mark as Non-Compliant.
2. Real-Time Resource Monitoring Confirmed
Verification Criteria: Technical monitoring tools are active and configured to track resource utilisation against established baselines.
Required Evidence: Live dashboard access or historical reports from monitoring software (e.g., Datadog, Nagios, Zabbix, or CloudWatch).
Pass/Fail Test: If critical servers or cloud instances are not being actively monitored for resource consumption, mark as Non-Compliant.
3. Capacity Threshold Alerting Validation
Verification Criteria: Automated alerts are configured to trigger when resource utilisation approaches or exceeds defined capacity limits (e.g., 80% disk usage).
Required Evidence: Configuration screenshots showing alert triggers and corresponding notification logs (email, SMS, or Slack).
Pass/Fail Test: If monitoring exists but lacks automated alerting for near-exhaustion of resources, mark as Non-Compliant.
