Optimising Capacity and Defending Against Malware: ISO 27001 Controls A.8.06 & A.8.07 Explained

A.8.6 Capacity management

This control aims to ensure that the required capacity of information processing facilities, human resources, offices and other facilities.

Capacity requirements should be identified and monitored for information processing systems, human resources, offices and other facilities. As part of monitoring activities, improvements should be made by tuning the resources to improve availability and efficiency. Stress testing should be performed to confirm that peak capacity requirements can be met. 

Migrating system hosting to make use of the cloud can assist with capacity management as cloud providers have elasticity and scalability provisions to allow for rapid expansion and reduction of resources to cater for peak demand. These can then be configured for periods of peak demand, to maintain availability and performance of your system.

To manage capacity of resources required to perform your business tasks such as human resources and office space, current and projected trends should be used to try and anticipate future requirements. This information should be used by managers to identify and avoid potential limitations with key personnel which can present a threat to system security or services and plan appropriately.
 

A.8.7 Protection against malware

This control has the objective to ensure that your information processing facilities are protected against malware.

You need to ensure that you have controls for the detection, prevention and recovery against malware. 

Most commonly, anti-virus is installed on worker’s machines to help protect them and allow your business to centrally manage and keep it up to date.
This area is crucial because phishing and credential harvesting are the most commonly reported information security threats to businesses. Consider seeking advice from experts to make sure you get it right.

You also need to consider your other infrastructure, how you protect your data, product and customer environments from risks including ransomware.
A lot of effort should be put into detecting and preventing malware. Discuss how to handle malware and phishing with the staff on an almost daily basis. It is certainly a topic on the monthly management meeting that all staff attend.

Keep on top of the malware and phishing threats because one slip has the potential to cause a lot of damage.

Takeaways

Key takeaways are

• Align Capacity with Business Objectives: Ensure capacity planning aligns with current and anticipated business needs, including growth, scalability, and redundancy.
• Monitor and Analyse Usage Trends: Continuously monitor system performance, resource utilisation, and storage to identify capacity trends and predict future requirements.
• Use Automated Capacity Tools: Leverage capacity monitoring and management tools for real-time data collection and analysis.
• Implement and Keep Updated Robust Anti-Malware Solutions: Use reputable antivirus and anti-malware software on all systems and endpoints, ensuring regular updates.
• Educate Users: Train employees on recognising phishing attempts, malicious websites, and suspicious file behaviours.

Other Posts

• Other posts in the series can be found at: A Strategic Approach to ISO 27001 Implementation
• View the previous post in the series: Access Management Simplified: Privileged Rights and Authentication Controls A.8.02 – A.8.05
• Read the next post in the series: Mitigating Threats Through Effective Management of Vulnerabilities and Configurations in Controls A.8.08 and A.8.09