ISO 27001 Annex A 8.6 Capacity Management – Definitive Guide

ISO 27001 Annex A 8.6 is about capacity management, which means a company should watch how resources are used and change them to meet the needs you have now and the needs you expect to have later.

What is ISO 27001 Annex A 8.6?

The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).

In the ISO/IEC 27001:2022 Standard the control is titled “Capacity Management”.

What is the ISO 27001 Annex A 8.6 control objective?

The formal definition and control objective in the standard is: “The use of resources should be monitored and adjusted in line with current and expected capacity requirements.“

What is the purpose of ISO 27001 Annex A 8.6?

The purpose of ISO 27001 Annex A 8.6 is “to ensure the required capacity of information processing facilities, human resources, offices and other facilities.“

Is ISO 27001 Annex A 8.6 Mandatory?

ISO 27001 Annex A control 8.6 (Capacity Management in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.

The mandatory part of the standard requires you to consider ISO 27001 Annex A 8.6 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.

Key Parts of the Rule

To follow this rule, you should have clear plans and policies. Here are some important steps:

You need to make sure you have enough resources to run and deliver your products and services. You will use different levels of management based on how complicated your systems are, your setup, your organisation, and your security risks.

Resources You Need to Manage

Core Technical Assets

The resources we usually think of for system management are things like:

• Storage and disk space.
• CPU (computer chip) usage.
• Memory usage.
• Network speed.

This initial inventory focuses on information processing resources as each has a finite capacity that must be defined, managed and monitored.

Operational and Human Assets

You also need to think about your staff availability and the utilities you connect to. Essentially, everything you use has a limit on how much it can handle.

A robust capacity framework extends to include human and environmental resources as neglecting these creates unaddressed single points of failure. Examples include:

• Staff Availability: ensuring sufficient people resources are available to operate and maintain and respond to system demands.
• Utility Dependencies: monitoring and planning for capacity of essential utilities like power and connectivity

How to implement ISO 27001 Annex A 8.6

These are the steps you will follow to implement ISO 27001 Annex A 8.6:

1. Identify Resources: You must figure out which resources you use and which ones are important to you.
2. Assess Risk: For those important resources, you will check the risks of running out of space or power.
3. Define Limits: You need to set clear upper limits for resources.
4. Set Alerts: You must set trigger points (thresholds) that send out warnings when the limit is almost reached.
5. Create Action Plans: When a warning is sent, you should have a plan ready to use to fix the problem.

Phases 1 and 2: Resource Identification and Risk Assessment

In this phase you are identifying the critical resources and assessing any inherent risks.

Phase 1: Identify Critical Resources

The most critical step is to formal identify and document every resource required for the delivery of products and services. This creates the foundation of the capacity management plan.

Phase 2: Assess Inherent Risks

For each resource a formal risk assessment is conducted to determine the business impact of not having capacity. This will inform the monitoring and planning efforts.

Phases 3 and 4: Defining Operational Limits and Calibrating Thresholds

In this phase you are defining the limits for operations and the alerting thresholds.

Phase 3: Defining Upper Limits

For each resource set the explicit and quantifiable upper capacity limits. These are the absolute maximums beyond which performance would degrade or failure would be expected.

Phase 3: Set Alert Thresholds

Establish an automated reporting and alerting trigger point that issues warnings before the upper limit is reached. This is the early warning system that enables proactive intervention.

Phases 5: Implement Response Processes

An alert should have a corresponding action plan. This phase is the creating, documenting and testing of predefined action plans against calibrated alert thresholds. Key steps in the process include:

• Immediate triage steps
• Escalation paths
• Resource addition plans
• Communication plans

Capacity Planning

The ISO standard really values planning, so you will spend time creating a capacity management plan. This plan should try to guess and record what resources you will need in the future. Your plans will change, but you still need to have one ready.

Capacity planning is a key part of this annex a control. Having a static snapshot of current capacity is not enough. The objective is to create a dynamic capacity management plan that forecasts future resource requirements. The plan accounts for business needs, technology roadmaps and market trends.

The plan is a living document that is regularly reviewed and updated

Implementation Challenges

Capacity planning has challenges and demands a level of precision, consistency and administrative overhead. The main challenges are:

• Documentation burdern
• Monitoring complexity
• Audit readiness
• Manual error

ISO 27001 Annex A Capacity Management Summary

This system control is not very difficult. It mainly requires you to use good common sense.