ISO 27001 Capacity Management
I am going to show you what ISO 27001 Annex A 8.6 Capacity Management is, what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it.
I show you exactly what changed in the ISO 27001:2022 update and exactly what you need to do for ISO 27001 certification.
Table of Contents
What is ISO 27001 Annex A 8.6?
ISO 27001 Annex A 8.6 Capacity Management is an ISO 27001 control that looks to make sure you have the resources you need to the things that you need to do.
Purpose
The purpose of ISO 27001 Annex A 8.6 Capacity Management is to ensure the required capacity of information processing facilities, human resources, offices and other facilities.
Definition
The ISO 27001 standard defines ISO 27001 Annex A 8.6 as:
The use of resources should be monitored and adjusted in line with current and expected capacity requirements.
ISO 27001:2022 Annex A 8.6 Capacity Management
Implementation Guide
With capacity management we are looking to make sure that we have enough resources to perform and deliver our products and services. There are varying degrees and levels of management depending on how complex you are, how complex your setup is, the organisation and your risk.
Resources to manage
The kinds of traditional capacity management and resources we would consider are things like storage space, disk space, CPU usage, memory usage, network bandwidth. You also have capacity in your staffing and also in your connected utilities.
Basically anything you use will have a capacity and a limit.
The process
You are going to identify the resources that you need and use and are important to you. For those you perform a risk assessment and build controls based on risk. Upper limits need to be defined and thresholds set that trigger alerts with action plans that are activated when the threshold is triggered.
Capacity Planning
The standard loves planning so you are going to invest some time to come up with a capacity management plan that attempts to predict and record future capacity requirements. Plans change, but have a plan.
The control is not particularly hard. It is mainly common sense.
ISO 27001 Templates
ISO 27001 templates have the advantage of being a massive boost that can save time and money so before we get into the implementation guide we consider these pre written templates that will sky rocket your implementation. This ISO 27001 Toolkit has been specifically designed so you can DIY your ISO 27001 certification, build your ISMS in a week and be ISO 27001 certification ready in 30 days.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
How to pass an audit
Time needed: 1 day
How to comply with ISO 27001 Annex A 8.6
- Have procedures in place
Write, approve, implement and communicate the documentation required for capacity management.
- Assess your capacity requirements and perform a risk assessment
Conduct a risk assessment and work out what your capacity requirements are.
- Implement controls proportionate to the risk posed
Based on the risk and requirements implement the controls that are proportionate. Set upper limits for capacity, implement triggers and put in places processes to respond to those triggers and alerts.
- Keep records
For audit purposes you will keep records. Examples of the records to keep include changes, updates, monitoring, review and audits.
- Test the controls that you have to make sure they are working
Perform internal audits that include the testing of the controls to ensure that they are working.
Top 3 Mistakes People Make
The top 3 mistakes people make for ISO 27001 Annex A 8.6 are
1. You have no capacity management plan
This usual things here that go wrong are when people don’t actually know what resources they need or what they are using or what they have. Identify your resource requirements, record what you are using, what you need, what the trigger thresholds are to take action.
2. You have not acted on plan
Having a plan and not using it is worse than no plan at all. Be sure to follow the plan and be able to evidence that you are reviewing and acting on capacity reports.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
ISO 27001 Controls and Attribute Values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Availability | Protect | Continuity | Protection |
| Detective | Integrity | Governance and Ecosystem | ||