UnixTime

Research Note

ISO 27001 A.8.6 - Capacity Management

The organization should know whether its systems, networks, storage, cloud services, databases, staff, and other resources can support current and future demand. Capacity manage...

On this page

Requirement

Requirement lens

This control asks whether resource use is monitored and adjusted to meet current and expected capacity needs.

“The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.”

Plain-language meaning

The organization should know whether its systems, networks, storage, cloud services, databases, staff, and other resources can support current and future demand. Capacity management protects availability by detecting resource pressure before it becomes an outage or serious performance problem.

Capacity is not only hardware. Human resources, operational support, cloud scaling limits, network bandwidth, storage growth, database performance, and peak business demand all matter.

Why this matters

Insufficient capacity can cause service degradation, outages, failed transactions, missed backups, failed logging, delayed incident response, and poor user experience. Sudden load changes in cloud services and networks can create availability incidents quickly if monitoring and scaling are weak.

Capacity management is also part of risk treatment for availability. It connects to business continuity because systems cannot meet recovery or service expectations if capacity planning is unrealistic.

Implementation guidance

Implementer focus

Monitor current resource use, trend future demand, and plan action before limits are reached.

1. Decide what to monitor

Typical capacity measures include:

Resource Example measure
Compute CPU, memory, container/node utilization
Storage used space, growth rate, IOPS, backup capacity
Network bandwidth, latency, packet loss, gateway utilization
Database sessions, locks, query time, storage, replication lag
Cloud service quotas, autoscaling events, spend limits
People support coverage, on-call load, project/release demand

2. Prioritize critical systems

Critical systems such as network gateways, identity platforms, main databases, customer-facing applications, logging platforms, and backup systems should have documented capacity plans.

3. Trend and forecast demand

Capacity management should use monitoring data, business forecasts, project plans, seasonal patterns, and user input to estimate future needs. The process should be repeatable, not a one-off guess.

4. Manage demand and scaling

Options include tuning, archiving, load balancing, caching, autoscaling, scheduled jobs, quota management, demand smoothing, cloud elasticity, or planned upgrades.

5. Include staff capacity

Security can fail when teams lack enough people at critical times. Staffing levels, on-call coverage, incident load, maintenance windows, and project peaks should be considered for critical services.

Audit guidance

Auditor focus

Test whether the organization monitors capacity, uses trends to forecast needs, and acts before capacity pressure becomes an availability or security issue.

Auditors should ask:

  • What resources are monitored?
  • Which systems are critical?
  • Where are capacity logs and dashboards?
  • What thresholds trigger action?
  • How is demand predicted?
  • How are cloud scaling and quotas managed?
  • How are staff capacity risks handled?
  • What upgrades or tuning actions were planned from trend data?

Auditors should sample monitoring records, capacity reviews, trend reports, incidents caused by resource limits, and upgrade/action plans.

Evidence examples

Evidence quality

Strong evidence proves monitoring exists, trends are reviewed, capacity needs are forecast, and corrective action is taken.

Evidence What it proves
Capacity management plan Process and responsibilities are defined
Monitoring dashboards/reports Resource use is measured
Threshold and alert settings Problems are detected early
Trend and forecast records Future demand is analyzed
Upgrade or tuning plans Monitoring leads to action
Cloud quota/autoscaling records Elastic capacity is controlled
Staff capacity plan Human resource constraints are considered
Incident/problem records Capacity issues are investigated and corrected

Strong evidence

  • Critical systems have capacity plans.
  • Monitoring covers known bottlenecks.
  • Trends are reviewed and used for forecasting.
  • Alerts trigger documented action.
  • Upgrades, tuning, or demand management are based on evidence.
  • Staff capacity is considered for critical operations.

Weak evidence

  • Capacity is reviewed only after outages.
  • Monitoring exists but no one reviews trends.
  • Cloud autoscaling is assumed to solve all capacity problems.
  • No thresholds or action owners exist.
  • Storage growth, database load, or network bottlenecks are not forecast.
  • Staffing constraints are ignored.

Common failures

Implementation watchouts

A.8.6 fails when monitoring exists but does not drive decisions.

Failure Why it matters
No defined monitoring scope Critical bottlenecks are missed
No trend analysis Future limits are not predicted
No threshold/action owner Alerts do not produce corrective action
Cloud quota blind spots Elastic services still hit limits
Staff capacity ignored Security and operations degrade during peaks
No evidence of tuning/upgrades Capacity process becomes cosmetic

Exam traps

Exam focus

Capacity management is an availability control, but it also supports security operations and continuity.

Trap Correct interpretation
Capacity means only disk space It includes compute, storage, network, cloud limits, databases, and people
Cloud removes capacity management Cloud still needs quota, cost, scaling, and performance management
Monitoring alone is enough Monitoring must drive trend analysis and action
Capacity is only an IT operations topic It affects availability, continuity, logging, incident response, and security services
Staff planning is unrelated Inadequate staff at critical times can compromise security

KB-ready summary

Mentor takeaway

A.8.6 prevents avoidable availability failures by monitoring capacity, forecasting demand, and acting before resource pressure becomes an incident.

  • Define what capacity indicators matter for critical systems.
  • Monitor resource use and set thresholds.
  • Trend capacity and forecast future demand.
  • Plan tuning, scaling, upgrades, or demand management.
  • Include staff capacity for critical operations.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Technological controls
  • Capacity management
  • Availability
  • Audit

Note Metadata

Aliases: A.8.6, Capacity Management

Source: 05 Annex A Technological Controls/A.8.6 Capacity Management.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

11

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.