ISO 27001 A.8.6: Capacity management
What This Control Requires
The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.
In Plain Language
Nothing kills availability quite like a server running out of disk space at 2 AM on a Saturday. Capacity management is about making sure your systems have enough resources - CPU, memory, storage, bandwidth - to handle current workloads and anticipated growth without falling over.
This covers both the proactive side (planning ahead based on growth projections) and the reactive side (monitoring in real time so you catch problems before users do). Both are equally important.
Capacity issues are one of the most common and most preventable causes of outages. Systems that hit resource limits can crash, corrupt data, or simply stop responding. Auditors will want to see that you are actively monitoring and planning, not just reacting to fires.
How to Implement
Set up comprehensive monitoring for all critical infrastructure. Track CPU, memory, disk space, network bandwidth, database connections, and application-specific metrics. Use tools that give you real-time dashboards, historical trends, and automated alerts when things get tight.
Define clear thresholds. Set warning alerts at around 70% utilisation and critical alerts at 85%. Configure notifications to the right team and set up automatic escalation if critical alerts go unacknowledged within a defined window.
Build a capacity planning process. Review trends monthly or quarterly to spot resources approaching limits. Project future needs based on business growth, new projects, and historical patterns. Budget for upgrades before you are in crisis mode.
For cloud environments, configure auto-scaling. Set up scaling groups that add or remove compute resources based on demand, with sensible minimum and maximum limits. Monitor scaling events and costs carefully - unbounded auto-scaling can blow through budgets fast without delivering proportional value.
Pay special attention to storage. Monitor file system and database growth rates. Implement data lifecycle management to archive or purge data that is no longer actively needed. Set quotas where appropriate. Plan storage expansion ahead of need, and make sure backup storage grows alongside your data.
Keep records of everything. Document capacity reviews, planning decisions, and upgrades. Maintain an updated capacity forecast and include capacity status in your regular operational reporting to management.
Evidence Your Auditor Will Request
- Infrastructure monitoring dashboards showing resource utilization
- Capacity threshold definitions and alerting configuration
- Capacity planning documents with growth projections
- Records of capacity reviews and actions taken
- Auto-scaling configurations for cloud environments
Common Mistakes
- No monitoring of critical resource utilization leading to unexpected outages
- Capacity alerts are configured but not responded to in a timely manner
- No capacity planning process resulting in reactive upgrades only
- Storage capacity is not monitored and systems run out of disk space
- Cloud costs spiral due to uncontrolled auto-scaling without spending limits
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | A1.1 | Related |
| NIS2 | Art.21(2)(c) | Partial overlap |
Frequently Asked Questions
How far ahead should capacity planning look?
What is the relationship between capacity management and availability?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment