Capacity Management

ISO 27001:2022 control A.8.6 is a technological control requiring organizations to monitor their IT resource utilization and adjust it according to current and expected capacity requirements. It ensures sufficient resources are available to support business operations without interruption.

Auditors expect to see ISO 27001 capacity management audit evidence such as an approved capacity management policy, screenshots of resource utilization monitoring dashboards, and alert configurations. They may also request tickets showing how the organization scaled resources in response to capacity alerts. Tools like WatchDog Security's Compliance Center can help organize this evidence by control, preserve historical snapshots, and flag missing items before an audit.

A compliant capacity management plan template ISO 27001 should outline the scope of monitored resources, defined thresholds for alerts, and responsibilities for forecasting demand. It must also include procedures for adjusting infrastructure, such as documented rules for scaling environments up or down.

Comprehensive resource utilization monitoring for ISO 27001 involves tracking CPU load, available memory, disk storage space, and network bandwidth utilization. Organizations should also monitor application-specific limits, such as database connections or API rate limits, to prevent bottlenecks.

The frequency of how often to review capacity management depends on the organization's growth rate and risk profile, but it is typically done monthly or quarterly. Regular reporting ensures that long-term capacity planning aligns with upcoming business initiatives and historical usage trends.

Capacity monitoring thresholds and alerting should be set to trigger before resources are completely exhausted, such as a warning at 80% and a critical alert at 90% utilization. This provides the IT team with sufficient time to provision new resources or investigate anomalies before an outage occurs.

Effective capacity management ensures that systems have the resources necessary to remain available during peak loads or unexpected traffic spikes. By anticipating demand and adjusting capacity proactively, organizations fulfill their availability commitments and support broader business continuity goals.

Yes, cloud auto scaling ISO 27001 capacity management directly satisfies the requirement to adjust resources dynamically. Organizations must document the auto-scaling rules, thresholds, and limits in their capacity management procedure example to demonstrate control over the process.

Capacity management focuses on ensuring sufficient quantity of resources are available to meet demand, while performance monitoring evaluates the speed and efficiency of those resources. However, the two are closely related, as tracking capacity planning metrics CPU memory disk network is essential for diagnosing performance degradation.

Organizations should use change management tickets to document any manual adjustments to capacity, including the justification and necessary approvals. Broader capacity risks should be recorded in the risk register, ensuring that long-term upgrades are planned and approved by management.

Capacity management evidence is easiest to maintain when monitoring outputs, alert rules, and scaling actions are captured consistently over time. Tools like WatchDog Security's Compliance Center can help map evidence (dashboards, alerts, change records) to A.8.6, track gaps, and keep an audit-ready timeline without relying on ad hoc screenshots.

Capacity issues often start as recurring alerts and end as availability risks that require funding or architectural change. WatchDog Security's Risk Register can help document capacity-related risks, define treatment plans (e.g., autoscaling, reserved capacity, load testing), assign owners, and show approvals and progress during management review.