The basics
ISO 27001 control A.8.6 Capacity management requires companies to plan and monitor available IT resources in order to support current and future demands. This is important to avoid any kind of downgrading of service because of a lack of capacity.
Documentation
ISO 27001 control A.8.6 Capacity management can be documented:
- for smaller and mid-sized companies by writing a Security Procedures for IT Department
- for larger companies by writing a Capacity Management Procedure
These documents are not mandatory, but are recommended.
Implementation
In order to comply with control A.8.6 Capacity management you might implement the following:
- Technology — the technology whose capacity management needs to be planned and monitored could include software (e.g., websites), hardware (e.g., cooling systems), or networks (links providing streaming services). Smaller companies will probably be able to extract performance data from features built into their own existing systems, whereas larger companies probably need some software that monitors and alerts them about excessive peaks of usage or that available capacity is running low.
- Organization/processes — you should set up a process for identifying critical resources and current and future demands required from them, and planning and monitoring available resources. You can document those processes through Security Procedures for IT Department.
- People — make employees aware of why monitoring the usage of resources is needed, and train IT staff on how to monitor and analyze resource usage.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.6 Capacity management: if the use of resources is monitored, and adjusted according to current and expected capacity requirements.
