Implementing capacity management according to ISO 27001:2013 control A.12.1.3

I’m sure you know, but it’s always about meeting agreed SLAs with your customers (internal and/or external) in the most cost-effective manner. Appropriate performance under an acceptable price is the holy grail of any successful business.

To run a successful business you need a reasonable business plan, great understanding of your services, even greater understanding of your customers’ business and customers’ “habits,” and you must always be prepared to quickly adapt your capacities to new customer requirements or increased customer demands.

Well, capacity management is the basis of all this: the art of balancing between price and performance in order to satisfy customers, or even better – to excite customers.

Capacity management is a complex process where people and technology should closely interact on planning, monitoring, and adjusting resources.

Capacity management as the answer to business requirements

I witnessed one great business idea that resulted in a management decision – a new version of the service, supported by new technology, should be created for the market. The research, development, and testing phases were successfully finished. All the bits and pieces were ordered for the IT infrastructure (a certain number of disks, CPUs, RAM, network bandwidth, monitoring tools, etc.) from the cloud service provider. The service was out on the cloud platform, and the fun began. But, let’s see how capacity management relates to this situation.

By the way, as ISO 27001:2013 is not so detailed about the capacity management process, a detailed description can be found in ISO 20000: ITIL and ISO 20000 – How to setup the Capacity Management process.


From a mini case study: Before going live

The research process will analyze the cloud environment, having in mind the new service requirements. According to those requirements, the information development process will create the new service with all defined functionalities. A continuous process of briefing with sales/business relationship management is on the way (to assure that business requirements are met or maybe to adjust to them). If there is a shortage in human capacities (to develop such a service), HR should be asked to plan additional education or something that will build the required competences. The purchase process will order service from some cloud provider and maybe some outsourced human resources. As the new service is planned to be published, the cost of those capacities should be communicated with financial processes.

From a mini case-study: After go-live

Once the service is in the live environment, using monitoring tools, the capacity monitoring and measuring process works at full speed. Monitoring and measurement parameters can be varied, but might include: number of transactions, number of users, number of new customers, availability of RAM and disk in peak times, response times for some big queries, etc.

Those data (i.e., capacity data, to be precise) are very helpful for the incident process (due to low capacities of some service components, service suffers from low speed), development process (some queries have to be reprogrammed, as they currently take too much time), sales process (SLAs are in danger during peak times), and finally, financial process (profit is not as expected, to resolve peak time problems more money needs to be invested in additional capacities).

So, as you see, there is a lot of capacity information that needs to be monitored and communicated at the right time to the right people on the proper way to make things really work.

Requirements of ISO 27001:2013 – control A.12.1.3

To satisfy the requirement of ISO 27001:2013 control A.12.1.3, the organization should demonstrate that the use of resources is monitored, tuned up, and that projections of future capacity requirements are made. All of this will ensure the required system performance.

As usual, the standard is not very specific, so use it as best suits you. According to the price vs. performance principle and the scope of your ISO 27001:2013 – be focused on mission-critical services, the ones that drive your business. Don’t waste your time on small bits and pieces, but investigate and monitor all capacities of the services that “put bread on the table.”

A few hints on how to approach

Due to the fact that capacity management is very important, the creation of a Capacity Management Policy makes sense (that could be included in a process in the case of small companies, but as a stand-alone document for bigger companies). It should be communicated clearly inside your organization.

The best way to support a policy is to clearly define your process and draw a process diagram. Sure, it will take some time, but that visual representation of your process will be something that everybody will understand, and that can be communicated easily. Creating a process is a brainstorming session where everybody learns something and new ideas for improvements are identified.

Make sure that the creation of a process diagram will have activities like:

  • capacity requirements identification
  • definition and implementation of detective controls (mechanisms used to detect problems in due time)
  • system monitoring and tuning
  • identification and analysis of trends of usage
  • projections of future capacity requirements
  • creation of improvement actions
  • capacity plan creation/adjustments

Don’t forget to address the capacity and competence of the human resources, as well as service components.

Your capacity management process could lift you up or break you down in the market

Prior to final approval of your capacity management process, try to walk through it, and create all documents/records (that also depends on the size of the company, as smaller companies will create the minimum of documents/records needed) that are defined to make sure that it’s operationally realistic. Structure it in the form that best suits your organizational practice and culture. The bottom line of the whole process is the creation of some structured document that can be called a Capacity Plan and will be used as a communication bridge inside the company (to learn more about the Capacity Plan, see The document you need but probably don’t have).

In my audits, to be frank, I didn’t see too many structured approaches to capacity management; it’s more like those are the things that IT guys need to know by heart. I hope that this will change in the future because in today’s world everything is online and connected. One serious telecom incident can stop lots of today’s businesses. And taking care about capacity can be a strong tool to prevent that.

To improve your ISO 27001 knowledge and skills, try our free online course:  ISO 27001:2013 Foundations Course.