What is ISO 27001 capacity management?

ISO 27001 capacity management ensures that your company has enough resources or space to access data, backup, and disaster recovery procedures. This management ensures proper computing power in your system to meet user and stakeholder requirements.

Requirements of capacity management

To meet ISO 27001:2013 control A.12.1.3, you should ensure your resource usage is effectively monitored and fine-tuned, with an eye on future capacity needs to guarantee system performance.

Avoid getting bogged down with minor details and instead concentrate on monitoring and enhancing capacities for services that significantly contribute to your bottom line.

Control 8.6 guidance:

• When you implement capacity management controls, such as detective controls that detect potential issues, keep business continuity as a top priority
• Base capacity management on proactive tuning and monitoring. These two elements should work together to safeguard systems and business functions
• Conduct regular stress tests to assess a system’s ability to meet business needs. Tailor these tests to specific operational areas
• Don’t limit capacity management to current needs. Include plans for both commercial and technical expansion, considering physical and digital aspects to remain future-proof
• Recognize that expanding resources comes with varying lead times and costs. Resources that are costly or challenging to expand should undergo closer scrutiny to ensure business continuity
• Be cautious of single points of failure, especially when dependent on key personnel or specific resources. Difficulties with these factors can lead to complex issues that are hard to rectify
• Develop a capacity management plan that specifically addresses business-critical systems and functions