Why avoid SaaS for capacity compliance?

SaaS tools isolate security data from your daily operations. They often provide generic ticks instead of actual evidence. Auditors prefer seeing logs in your native repositories. This proves that you own the management process.

ISO 27001:2022 Annex A 8.6 Guide

What is ISO 27001 Annex A 8.6 in ISO 27001?

Capacity management is a documented process for monitoring resource use. It ensures system availability by predicting future requirements. You must integrate this into business-as-usual tools. Use SharePoint to store capacity plans. Monitor metrics within your internal technical wikis to maintain service levels. This approach avoids disconnected security silos.

Auditor’s Eye: The Shortcut Trap

Automated SaaS platforms often provide a generic policy with a green tick. This creates surface-level compliance. These tools do not connect to your live infrastructure logs. Auditors want to see your actual resource data. We look for capacity review minutes in your native repositories. Reliance on external software causes a lack of management ownership. You must demonstrate that you actively manage your own hardware and cloud limits.

ISO 27001:2013 Control	ISO 27001:2022 Control	Key Differences
A.12.1.3 Capacity management	A.8.6 Capacity management	The 2022 version simplifies the language. It remains a technical and operational requirement.

How to Implement ISO 27001 Annex A 8.6 (Step-by-Step)

Identify your resource limits and monitor them regularly. Document these limits in your internal wiki. This ensures your team understands operational boundaries. Implementation is a cultural habit: not a software installation. All steps must use your existing document management systems.

Define resource requirements for all critical systems.
Log these specifications in a SharePoint asset register.
Set thresholds for CPU, memory, and storage use.
Monitor utilisation using your existing internal logging tools.
Review performance trends in monthly management meetings.
Record the review findings in SharePoint meeting minutes.
Use Jira to assign tasks for capacity expansion.

ISO 27001 Annex A 8.6 Audit Evidence Checklist

Focus on manual records that prove human oversight and intent. Auditors check for version history in your internal tools. Avoid showing dashboards from third-party compliance software.

Documented capacity management policy with SharePoint version history.
Meeting minutes showing that management reviewed resource trends.
Internal wiki pages detailing system performance thresholds.
Jira tickets used to request additional cloud or physical resources.
Historical logs of server or database utilisation.

Relational Mapping

Annex A 8.6 relates to several core requirements:

Clause 8.1: Operational planning and control.
Annex A 5.9: Inventory of information and other assets.
Annex A 8.1: User endpoint device security.

Auditor Interview

Auditor: How do you identify when your systems need more resources?

Manager: We monitor server metrics weekly. We record any trends in our Confluence technical log.

Auditor: Where do you record decisions to upgrade hardware?

Manager: We discuss this in our monthly management meetings. We store the minutes and Jira upgrade tickets in SharePoint.

Common Non-Conformities

Failure Mode	Description	Corrective Action
Automated Complacency	Relying on a SaaS platform tick without local data.	Create and store actual capacity reports in SharePoint.
Missing Baselines	The organisation does not know its resource limits.	Document performance thresholds in the internal wiki.
No Evidence of Review	Metrics exist but management never reviews them.	Add capacity reviews to the management meeting agenda.

Frequently Asked Questions

What is ISO 27001 Annex A 8.6?

The Bottom Line: It is the process of ensuring resources meet current and future demands. You must monitor system performance regularly. Document your plans and reviews in SharePoint. This prevents service outages caused by resource exhaustion.

How do I implement capacity management?

The Bottom Line: Identify your resource limits and monitor them. Record your specifications in Confluence. Use Jira to manage upgrades. Store all review evidence in your native document management system.

Why avoid automated SaaS tools for capacity?

The Bottom Line: SaaS tools decouple security from your actual business operations. They provide generic evidence that auditors often reject. Manage your evidence in SharePoint and Jira. This shows genuine management ownership of the control.

LA CASA DE CERTIFICACIÓN