1. Framework FAQs

ISO 27001: 2022 A.8.6 Capacity management

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.8.6 Capacity management.

ISO 27001: 2022 Control Description

Monitoring and Adjusting Resource Usage

Purpose

To ensure that information processing facilities, human resources, offices, and other facilities have the capacity needed to meet current and future demands.

Guidance on implementation

  1. Identify Capacity Requirements:
    • Assess the capacity needs for information processing facilities, human resources, offices, and other facilities. Consider the criticality of the systems and processes involved.
  2. System Tuning and Monitoring:
    • Regularly tune and monitor systems to ensure they are efficient and available. Make improvements as necessary.
  3. Stress Testing:
    • Conduct stress tests on systems and services to verify they can handle peak performance demands.
  4. Detective Controls:
    • Implement controls to detect potential capacity issues early, allowing for timely intervention.
  5. Future Capacity Planning:
    • Forecast future capacity needs by considering new business requirements, system changes, and trends in information processing capabilities.
  6. Resource Monitoring:
    • Pay special attention to resources that are costly or have long procurement times. Managers and service owners should monitor key system resources to prevent limitations or over-reliance on key personnel.
  7. Managing Capacity:
    • Address capacity needs by either increasing resources or reducing demand.
  8. To increase capacity, consider:
    • Hiring additional personnel.
    • Securing more facilities or workspace.
    • Acquiring more powerful processing systems, memory, or storage.
    • Using cloud computing, which offers elasticity and scalability, allowing for rapid expansion or reduction of resources as needed.
  9. To reduce demand on resources, consider:
    • Deleting obsolete data to free up disk space.
    • Disposing of hardcopy records that have passed their retention period to free up shelving space.
    • Decommissioning outdated applications, systems, databases, or environments.
    • Optimising batch processes and schedules.
    • Optimising application code or database queries.
    • Restricting bandwidth for non-critical, resource-heavy services (e.g., video streaming).
  10. Capacity Management Plan:
    • For mission-critical systems, consider developing a documented capacity management plan.