Ensure Cloud Resource Scalability for Demand Spikes
Cloud providers check if they can quickly increase resources to handle sudden increases in demand.
Plain language
This control ensures that cloud services can quickly add more computing power if many people try to access your online services at once. It's crucial because if your cloud provider can't handle sudden traffic spikes, your services can slow down or crash, leading to frustrated customers and lost business.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingOfficial control statement
Cloud service providers' ability to dynamically scale resources in response to a genuine spike in demand is discussed and verified as part of capacity and availability planning for online services.
Why it matters
Without dynamic cloud scaling, sudden traffic spikes can lead to service outages, frustrating users and disrupting business operations.
Operational notes
Regularly test and document auto-scaling behaviour, verifying scale-out triggers and time-to-capacity meet peak demand and availability plans.
Implementation tips
- The IT team should evaluate their cloud provider's ability to scale resources quickly. They can do this by holding meetings with the provider to understand their scaling capabilities and ensure they have clear, documented procedures for handling increased demand.
- Business managers should forecast potential demand spikes, such as during sales or peak seasons, and communicate this to the IT team. This can be done by analysing sales trends and expected customer behaviour and sharing these insights with the cloud provider.
- System owners should set up regular performance testing to simulate demand spikes. This involves running tests that mimic high user traffic and checking how well the cloud service scales, documenting any issues to address with the provider.
- Procurement officers should ensure that contracts with cloud providers include agreements on resource scalability. This can be achieved by reviewing service level agreements to confirm they cover rapid scaling requirements and clarifying any terms with the provider.
- IT support should monitor cloud resource usage during periods of increased demand. By using cloud monitoring tools to track performance in real-time, they can quickly identify any issues and coordinate with the provider to resolve them.
Audit / evidence tips
-
Askperformance test results: Request reports from simulated demand spike tests conducted by the IT team
GoodDetailed test results showing how resources scaled and any corrective actions taken
-
Askservice level agreements (SLAs): Request the agreements with cloud providers specifying scalability terms
GoodSLAs explicitly stating rapid scalability with clear steps for resource allocation
-
Askto see demand forecasts: Request documentation of expected demand increases shared with IT
GoodForecasts based on thorough analysis aligning with business cycles and communicated to IT
-
Askmonitoring records: Request access to logs from resource monitoring tools during high-demand periods
GoodLogs showing responsive scaling without significant delays or downtime
-
Askissue resolution records: Request documentation on how scalability issues were managed
GoodDocumented processes showing prompt issue identification and resolution, maintaining service continuity
Cross-framework mappings
How ISM-1579 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 8.6 | Annex A 8.6 requires monitoring of resource use and adjustment in line with current and expected capacity requirements | |
| Annex A 8.21 | Annex A 8.21 focuses on defining and meeting security mechanisms and service levels for network services, including reliability and perfo... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.