top of page
Search

ISO27001:2022 A8.6 – Capacity management




The purpose of this ISO27001 Annex A control is to ensure that you have the resources you need to ensure information security operates effectively. Because this control sits within the technical controls, many wrongly assume that it relates specifically to our technical infrastructure.  However, there is so much more to this control than meets the eye.


 

What does the standard require?

The standard states that “The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.” (A8.6 – Capacity management)

 

Although this control sits within Technical Controls, it’s important to note that this control doesn’t mention technology at all. The expectation is that you will monitor and adjust the resources you need, and resources can mean anything that helps you run your business.  The most obvious area here is Human Resources. Do you have enough people to do the job effectively? Do YOU have the resources you need in order to ensure security?

 

What about office space? Do you have room (i.e. Capacity) to ensure that people can work securely? Are people having to share desks? What about storage space? Is the implementation of a clear desk policy being hampered because you don’t have room in the filing cabinet for confidential papers?

 

As with many aspects of information security and ISO27001, you must think beyond the obvious.

 

Why is this required?

When considering this from a technology standpoint, it becomes evident that running out of disk space could potentially harm your business. Therefore, you should monitor it. However, modern Cloud computing and NAS (Network Attached Storage) servers have made this less of an issue for most organisations. Not that you shouldn’t monitor disk capacity, but even the most basic Cloud computing service provision will ensure you receive timely alerts if you are running out of space.

 

Running out of disk space could mean business disruption, possibly with systems failing, and therefore affecting your clients. This could lead to reputational damage and financial losses.

 

But the same issues could result from not having human capacity in your business to deliver products and services. Project delays could cause delays in delivery of your products or services, and again would affect your customers, possibly losing them to your competitors who can deliver as expected and required.

 

Without some form of monitoring of both human capacity and technological capacity, you won’t be able to plan for the future, which could impede your ability for business growth.  Anyone who has worked in a small business will know that there comes a point where you run out of ‘capacity’ to serve your customers. You might need bigger premises, a bigger team or more technical infrastructure.  Without capacity management, business growth will be difficult to achieve.


 

What the auditor is looking for

For this ISO27001 control, the auditor will look for evidence of both technical and operational security measures, including;

 

  • Business and Security Objectives (Clause 6.2 - Information security objectives and plans to achieve them).

  • System Capacity Dashboards and tools (e.g. Splunk).

  • Capacity plans (physical, human and technology).

  • Logs and monitoring (A8.15 – Logging & A8.16 Monitoring Activities).

  • Risk Register.

  • Results from audits.

  • Management Review Meeting minutes and actions.

 

Because this control sits within the technology section of ISO27001 Annex A, it is not uncommon for the auditor to only focus on the technical aspects of capacity management. However, be prepared to talk about the human resources you rely upon too. This includes YOU.  Do you have the ‘capacity’ to ensure the information security management system functions as expected, if you have another ten projects on the go?  This is one question I always ask when auditing a business, and when auditors are asking about roles and responsibilities, the underlying purpose is to see if there is capacity in the business to run the security programme effectively.

 

What do you need to do?

You should think of this control as three controls in one, and each requires a slightly different approach. 

 

Physical Capacity

Conduct a site risk assessment and audit, and identify any capacity issues in the office space.  Does everyone have a desk? Are they desk sharing (not uncommon)? Do they have lockable drawers or cabinets for confidential information? 

 

If you have confidential waste bins, are these overflowing because they are not big enough, or not emptied often enough? 

 

What about keys and ID cards? Are people having to share access cards because there aren’t enough to go round?

 

Human Capacity

Speak to your business leaders about the business growth plans and objectives for the next 12mths. Once you understand where the business is headed, you can ask how you will resource the business to enable the growth or expansion plans. This will most likely result in a conversation with your HR function to understand how they plan to recruit people and where this new pool of talent is coming from.

 

The Human Resource department will also be able to provide details of teams and their size, from which you may be able to identify key-person risks. This is where one or two people are relied upon to perform a critical function within the business, and without whom, there could be an impact on the business.

 

It is not uncommon to find that a growing business has a number of key-person dependencies, and these need to be understood to ensure you have capacity in the business and be resilient to their departure, temporarily (i.e. holiday) or permanently (i.e. they leave).

 

Technical Capacity

Speak to your IT team to understand how they manage capacity across your business and how they handle capacity management. However, don't just focus on network storage, as the IT team can inform you about the management of storage capacity, network capacity, and hardware capacity. 

 

When the pandemic took hold, in early 2020, many organisations struggled to implement their Business Continuity Plans because they didn’t have capacity in their networks, but also because they didn’t have enough laptops. Getting hold of these devices became increasingly difficult, and some businesses resorted to buying laptops from local stores, meaning that the software and devices were uncontrolled and unprotected.  Worse still, we heard of some businesses telling their staff to use “any devices you have at home, like your children’s tablets or computers”(!)

 

One you have considered all aspects of capacity management, identify where the risks are, log them on your risk register and develop a plan with your management Review Team to address them.

 

Difficulty rating

We rate this a 3 out of 5 difficulty rating. This control can become relatively technical as you will need to understand different capacity management techniques and controls. However a big part of this control is considering what capacity management means to you.  You might find that technical capacity management is the least of your problems, but physical capacity is your biggest risk and therefore area for concern.


 

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

 

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.

16 views

コメント

コメントが読み込まれませんでした。
技術的な問題があったようです。お手数ですが、再度接続するか、ページを再読み込みしてださい。
bottom of page