ISO 27001 Annex A 8.6 Capacity Management

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Capacity Management

I am going to show you what ISO 27001 Annex A 8.6 Capacity Management is, what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it.

I am Stuart Barker the ISO 27001 Ninja and using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I show you exactly what changed in the ISO 27001:2022 update and exactly what you need to do for ISO 27001 certification.

What is ISO 27001 Annex A 8.6 Capacity Management?

ISO 27001 Annex A 8.6 Capacity Management is an ISO 27001 control that looks to make sure you have the resources you need to the things that you need to do.

ISO 27001 Annex A 8.6 Purpose

The purpose of Annex A 8.6 Capacity Management is to ensure the required capacity of information processing facilities, human resources, offices and other facilities.

ISO 27001 Annex A 8.6 Definition

The ISO 27001 standard defines Annex A 8.6 as:

The use of resources should be monitored and adjusted in line with current and expected capacity requirements.

ISO 27001:2022 Annex A 8.6 Capacity Management

How to implement ISO 27001 Annex A 8.6

With capacity management we are looking to make sure that we have enough resources to perform and deliver our products and services. There are varying degrees and levels of management depending on how complex you are, how complex your setup is, the organisation and your risk.

Resources to manage

The kinds of traditional capacity management and resources we would consider are things like storage space, disk space, CPU usage, memory usage, network bandwidth. You also have capacity in your staffing and also in your connected utilities.

Basically anything you use will have a capacity and a limit.

The process

You are going to identify the resources that you need and use and are important to you. For those you perform a risk assessment and build controls based on risk. Upper limits need to be defined and thresholds set that trigger alerts with action plans that are activated when the threshold is triggered.

Capacity Planning

The standard loves planning so you are going to invest some time to come up with a capacity management plan that attempts to predict and record future capacity requirements. Plans change, but have a plan.

The control is not particularly hard. It is mainly common sense.

ISO 27001 Templates



ISO 27001 Toolkit Business Edition

ISO 27001 templates have the advantage of being a massive boost that can save time and money so before we get into the implementation guide we consider these pre written templates that will sky rocket your implementation. This ISO 27001 Toolkit has been specifically designed so you can DIY your ISO 27001 certification, build your ISMS in a week and be ISO 27001 certification ready in 30 days.

How to pass an audit of ISO 27001 Annex A 8.6

Time needed: 1 day

How to comply with ISO 27001 Annex A 8.6

  1. Have procedures in place

    Write, approve, implement and communicate the documentation required for capacity management.

  2. Assess your capacity requirements and perform a risk assessment

    Conduct a risk assessment and work out what your capacity requirements are.

  3. Implement controls proportionate to the risk posed

    Based on the risk and requirements implement the controls that are proportionate. Set upper limits for capacity, implement triggers and put in places processes to respond to those triggers and alerts.

  4. Keep records

    For audit purposes you will keep records. Examples of the records to keep include changes, updates, monitoring, review and audits.

  5. Test the controls that you have to make sure they are working

    Perform internal audits that include the testing of the controls to ensure that they are working.

Top 3 Mistakes People Make for ISO 27001 Annex A 8.6

The top 3 mistakes people make for ISO 27001 Annex A 8.6 are

1. You have no capacity management plan

This usual things here that go wrong are when people don’t actually know what resources they need or what they are using or what they have. Identify your resource requirements, record what you are using, what you need, what the trigger thresholds are to take action.

2. You have not acted on plan

Having a plan and not using it is worse than no plan at all. Be sure to follow the plan and be able to evidence that you are reviewing and acting on capacity reports.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Get the Help of the ISO 27001 Ninja

Book your FREE 30 Minute ISO 27001 Strategy Call and let me show you how you can do it 30x cheaper and 10x faster that you ever thought possible.

Controls and Attribute Values

Control typeInformation
security properties
Security domains
DetectiveIntegrityGovernance and Ecosystem
ISO 27001 Toolkit Business Edition

Do It Yourself ISO27001

Stop Spanking £10,000s on consultants and ISMS online-tools.