Capacity management, in the context of ICT, isn’t limited to ensuring that organisations have adequate space on servers and associated storage media for data access and Backup and Disaster Recovery (BUDR) purposes.
Organisations need to ensure that they have the ability to operate with a set of resources that cater to a broad range of business functions, including HR, information processing, the management of physical office locations and attached facilities.
All of these functions have the ability to adversely affect an organisation’s information management controls.
Control 8.6 is a dual-purpose preventative and detective control that maintains risk by implementing detective controls which identify and maintain adequate capacity for processing information across the organisation.
Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
---|---|---|---|---|
#Preventive #Detective | #Integrity #Availability | #Protect #Identify #Detect | #Continuity | #Governance and Ecosystem #Protection |
Control 8.6 deals with an organisation’s ability to operate as a business on an ongoing basis.
As such, ownership should reside with the Chief Operating Officer (or organisational equivalent), with responsibility for the day-to-day integrity and efficiency of an organisation’s business functions.
In broad terms that aren’t unique to one particular type of resource, Control 8.6 contains 7 general guidance points:
27002:2022-8.6 advocates for an dual-fronted approach to capacity management that either increases capacity, or reduces demand upon a resource, or set of resources.
When attempting to increase capacity, organisations should:
When attempting to reduce demand, organisations should:
27002:2022-8.6 replaces 27002:2013-12.1.3 (Capacity management).
27002:2022-8.6 contains a far more comprehensive set of guidelines that instruct organisations on how to either increase capacity or reduce demand.
Further to this, 27002:2013-12.1.3 contains no specific guidance on how to increase capacity, in contrast to 27002:2022-8.6 that outlines specific courses of action that lead to more operational breathing space.
27002:2013-12.1.3 also contains no guidance on how to stress test operational capacity, or otherwise audit an organisation’s ability to manage capacity on an ongoing basis, outside of recommending a capacity management plan.
In accordance with the meteoric rise of cloud computing over the past decade, 27002:2022-8.6 is explicit in its advice to organisations to use cloud-based resources that automatically scale with business requirements.
27002:2013-12.1.3 makes no such mention of off site storage or compute facilities.
ISO 27002 implementation is simpler with our step-by-step checklist that guides you through the whole process. Your complete compliance solution for ISO/IEC 27002:2022.
Get in touch today to book a demo.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
5.7 | New | Threat intelligence |
5.23 | New | Information security for use of cloud services |
5.30 | New | ICT readiness for business continuity |
7.4 | New | Physical security monitoring |
8.9 | New | Configuration management |
8.10 | New | Information deletion |
8.11 | New | Data masking |
8.12 | New | Data leakage prevention |
8.16 | New | Monitoring activities |
8.23 | New | Web filtering |
8.28 | New | Secure coding |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
6.1 | 07.1.1 | Screening |
6.2 | 07.1.2 | Terms and conditions of employment |
6.3 | 07.2.2 | Information security awareness, education and training |
6.4 | 07.2.3 | Disciplinary process |
6.5 | 07.3.1 | Responsibilities after termination or change of employment |
6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
6.7 | 06.2.2 | Remote working |
6.8 | 16.1.2, 16.1.3 | Information security event reporting |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
7.1 | 11.1.1 | Physical security perimeters |
7.2 | 11.1.2, 11.1.6 | Physical entry |
7.3 | 11.1.3 | Securing offices, rooms and facilities |
7.4 | New | Physical security monitoring |
7.5 | 11.1.4 | Protecting against physical and environmental threats |
7.6 | 11.1.5 | Working in secure areas |
7.7 | 11.2.9 | Clear desk and clear screen |
7.8 | 11.2.1 | Equipment siting and protection |
7.9 | 11.2.6 | Security of assets off-premises |
7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
7.11 | 11.2.2 | Supporting utilities |
7.12 | 11.2.3 | Cabling security |
7.13 | 11.2.4 | Equipment maintenance |
7.14 | 11.2.7 | Secure disposal or re-use of equipment |