Requirement
Requirement lens
This control asks whether resource use is monitored and adjusted to meet current and expected capacity needs.
“The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.”
Plain-language meaning
The organization should know whether its systems, networks, storage, cloud services, databases, staff, and other resources can support current and future demand. Capacity management protects availability by detecting resource pressure before it becomes an outage or serious performance problem.
Capacity is not only hardware. Human resources, operational support, cloud scaling limits, network bandwidth, storage growth, database performance, and peak business demand all matter.
Why this matters
Insufficient capacity can cause service degradation, outages, failed transactions, missed backups, failed logging, delayed incident response, and poor user experience. Sudden load changes in cloud services and networks can create availability incidents quickly if monitoring and scaling are weak.
Capacity management is also part of risk treatment for availability. It connects to business continuity because systems cannot meet recovery or service expectations if capacity planning is unrealistic.
Implementation guidance
Implementer focus
Monitor current resource use, trend future demand, and plan action before limits are reached.
1. Decide what to monitor
Typical capacity measures include:
| Resource | Example measure |
|---|---|
| Compute | CPU, memory, container/node utilization |
| Storage | used space, growth rate, IOPS, backup capacity |
| Network | bandwidth, latency, packet loss, gateway utilization |
| Database | sessions, locks, query time, storage, replication lag |
| Cloud | service quotas, autoscaling events, spend limits |
| People | support coverage, on-call load, project/release demand |
2. Prioritize critical systems
Critical systems such as network gateways, identity platforms, main databases, customer-facing applications, logging platforms, and backup systems should have documented capacity plans.
3. Trend and forecast demand
Capacity management should use monitoring data, business forecasts, project plans, seasonal patterns, and user input to estimate future needs. The process should be repeatable, not a one-off guess.
4. Manage demand and scaling
Options include tuning, archiving, load balancing, caching, autoscaling, scheduled jobs, quota management, demand smoothing, cloud elasticity, or planned upgrades.
5. Include staff capacity
Security can fail when teams lack enough people at critical times. Staffing levels, on-call coverage, incident load, maintenance windows, and project peaks should be considered for critical services.
Audit guidance
Auditor focus
Test whether the organization monitors capacity, uses trends to forecast needs, and acts before capacity pressure becomes an availability or security issue.
Auditors should ask:
- What resources are monitored?
- Which systems are critical?
- Where are capacity logs and dashboards?
- What thresholds trigger action?
- How is demand predicted?
- How are cloud scaling and quotas managed?
- How are staff capacity risks handled?
- What upgrades or tuning actions were planned from trend data?
Auditors should sample monitoring records, capacity reviews, trend reports, incidents caused by resource limits, and upgrade/action plans.
Evidence examples
Evidence quality
Strong evidence proves monitoring exists, trends are reviewed, capacity needs are forecast, and corrective action is taken.
| Evidence | What it proves |
|---|---|
| Capacity management plan | Process and responsibilities are defined |
| Monitoring dashboards/reports | Resource use is measured |
| Threshold and alert settings | Problems are detected early |
| Trend and forecast records | Future demand is analyzed |
| Upgrade or tuning plans | Monitoring leads to action |
| Cloud quota/autoscaling records | Elastic capacity is controlled |
| Staff capacity plan | Human resource constraints are considered |
| Incident/problem records | Capacity issues are investigated and corrected |
Strong evidence
- Critical systems have capacity plans.
- Monitoring covers known bottlenecks.
- Trends are reviewed and used for forecasting.
- Alerts trigger documented action.
- Upgrades, tuning, or demand management are based on evidence.
- Staff capacity is considered for critical operations.
Weak evidence
- Capacity is reviewed only after outages.
- Monitoring exists but no one reviews trends.
- Cloud autoscaling is assumed to solve all capacity problems.
- No thresholds or action owners exist.
- Storage growth, database load, or network bottlenecks are not forecast.
- Staffing constraints are ignored.
Common failures
Implementation watchouts
A.8.6 fails when monitoring exists but does not drive decisions.
| Failure | Why it matters |
|---|---|
| No defined monitoring scope | Critical bottlenecks are missed |
| No trend analysis | Future limits are not predicted |
| No threshold/action owner | Alerts do not produce corrective action |
| Cloud quota blind spots | Elastic services still hit limits |
| Staff capacity ignored | Security and operations degrade during peaks |
| No evidence of tuning/upgrades | Capacity process becomes cosmetic |
Exam traps
Exam focus
Capacity management is an availability control, but it also supports security operations and continuity.
| Trap | Correct interpretation |
|---|---|
| Capacity means only disk space | It includes compute, storage, network, cloud limits, databases, and people |
| Cloud removes capacity management | Cloud still needs quota, cost, scaling, and performance management |
| Monitoring alone is enough | Monitoring must drive trend analysis and action |
| Capacity is only an IT operations topic | It affects availability, continuity, logging, incident response, and security services |
| Staff planning is unrelated | Inadequate staff at critical times can compromise security |
Related controls and concepts
- A.8 Technological Controls MOC
- A.7.11 Supporting Utilities
- A.5.30 ICT Readiness for Business Continuity
- A.5.29 Information Security During Disruption
- Risk Assessment
- Statement of Applicability
- Management Review
- Capacity Management Plan
- Capacity Monitoring and Forecast Register
- Critical System Capacity Review Checklist
- A.8.6 Audit Evidence Pack
- A.8.6 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.6 prevents avoidable availability failures by monitoring capacity, forecasting demand, and acting before resource pressure becomes an incident.
- Define what capacity indicators matter for critical systems.
- Monitor resource use and set thresholds.
- Trend capacity and forecast future demand.
- Plan tuning, scaling, upgrades, or demand management.
- Include staff capacity for critical operations.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Capacity management
- Availability
- Audit
Note Metadata
Aliases: A.8.6, Capacity Management
Source: 05 Annex A Technological Controls/A.8.6 Capacity Management.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Management Review
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.29 - Information Security During Disruption
- ISO 27001 A.5.30 - ICT Readiness for Business Continuity
- ISO 27001 A.7.11 - Supporting Utilities
- A.8.6 Audit Evidence Pack
- ISO 27001 A.8.13 - Information Backup
- ISO 27001 A.8.14 - Redundancy of Information Processing Facilities
- ISO 27001 A.8.8 - Management of Technical Vulnerabilities
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.6 Capacity Management
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-028 - Source Code, Authentication, and Capacity
- ISO 27002 Annex A Control Interpretation Map
- A.8.6 Audit Checklist
- Availability Requirement Mapping
- Capacity Management Plan
- Capacity Monitoring and Forecast Register
- Critical System Capacity Review Checklist
- Annex A Controls MOC