UnixTime

Research Note

A.8.6 Audit Evidence Pack

- Critical systems have defined capacity plans. - Monitoring covers current and expected bottlenecks. - Trend analysis is reviewed and acted on. - Thresholds have owners and act...

On this page

What the auditor wants to verify

Audit objective

Verify that resource use is monitored, trended, forecast, and adjusted to meet current and expected capacity requirements.

Evidence to request

Evidence Purpose
Capacity management plan Shows process and ownership
Monitoring dashboards/reports Shows resource use is measured
Threshold and alert configuration Shows capacity pressure is detected
Trend and forecast records Shows future needs are analyzed
Tuning/upgrade/action plans Shows monitoring leads to action
Cloud quota/autoscaling records Shows elastic capacity is controlled
Staff capacity planning Shows human-resource capacity is considered
Capacity-related incidents/problems Shows issues are investigated

Strong evidence

  • Critical systems have defined capacity plans.
  • Monitoring covers current and expected bottlenecks.
  • Trend analysis is reviewed and acted on.
  • Thresholds have owners and actions.
  • Cloud quotas, autoscaling, and cost limits are managed.
  • Staffing capacity is considered for critical operations.

Weak evidence

  • Capacity is only reviewed after outages.
  • Monitoring exists but no trends are reviewed.
  • No thresholds or action owners exist.
  • Cloud is assumed to scale without quota or cost review.
  • Staff capacity is ignored.

Sample interview questions

  • What capacity indicators are monitored?
  • Which systems are critical?
  • How are future requirements forecast?
  • What thresholds trigger action?
  • How are cloud quotas and autoscaling reviewed?
  • How is staff capacity handled during critical periods?

Common nonconformities

  • No capacity monitoring scope.
  • No trend/forecast evidence.
  • Capacity alerts not acted on.
  • Critical systems lack capacity plans.
  • Cloud service limits not reviewed.
  • Staffing constraints not considered.
  • Audit
  • Evidence
  • A8 6
  • Iso27001

Note Metadata

Aliases: A.8.6 Evidence

Source: 04 Audit Evidence Packs/A.8.6 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.