Monitor Capacity and Availability of Online Services
Organisations monitor online services to ensure they can handle traffic and remain available at all times.
Plain language
This control is about making sure that your online services, like your website or email, are always available and can handle all the traffic they get. If you don't keep an eye on these services, they might crash when too many people use them at once, causing you to lose customers or business opportunity.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
May 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingOfficial control statement
Continuous real-time monitoring of the capacity and availability of online services is performed.
Why it matters
Without real-time monitoring, capacity/availability issues may go undetected during spikes, causing outages, revenue loss and customer dissatisfaction.
Operational notes
Set alert thresholds for traffic surges and key availability metrics; review dashboards and perform regular capacity checks to keep services online and respond quickly.
Implementation tips
- IT team should use online monitoring tools: Set up software tools that keep track of your website and online services to see how much they're being used and if they're slow or having issues. These tools can alert you if something goes wrong, so you can fix it before it impacts your customers.
- Service manager should review alert policies: Work with your IT team to decide what kinds of problems should trigger an alert. Determine the threshold for acceptable performance and set alerts to notify you if performance drops below this level.
- Operations team should regularly check reports: Have a dedicated staff member look at the reports generated by your monitoring tools to spot any patterns or issues that need attention. This involves setting aside time each week to review the system's health and address any small problems before they become big ones.
- Business owners should set up response plans: Get together with your team to come up with a plan for what to do if your service suddenly goes down or slows significantly. Make sure everyone knows their role in getting things back up and running quickly.
- IT team should test the handling of large traffic: Periodically run tests that simulate a large number of users to ensure your systems can cope. This testing helps identify potential problems and gives you a chance to fine-tune your systems before real users are affected.
Audit / evidence tips
-
Askthe monitoring tool dashboard access: Request access to the live dashboard of the monitoring tools being used
Goodsign is if the dashboard shows active monitoring with historical data trends for at least the past three months
-
Askthe alert configuration documentation: Request the document or setting logs that detail how alerts are configured. Look to ensure that there are alerts set for both capacity and performance issues
Goodwould be detailed configurations with clear thresholds and contact details for notifications
-
Askthe report on system performance: Request regular summary reports that show how well the system has been performing
Goodwould include consistent monthly reports showing positive performance or noted improvements
-
Askthe incident response plan document: Request the documented plans that outline steps to be taken if systems fail. Look to see if roles and responsibilities are clearly defined and if there's a contact list readily available
Goodincludes a clearly written plan with realistic steps and roles assigned
-
Askrecords of recent capacity tests: Request documentation or reports on recent tests conducted to check system capacity under high usage
Goodshows tests conducted in the last six months with actionable follow-up on any issues encountered
Cross-framework mappings
How ISM-1581 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 8.6 | ISM-1581 requires continuous real-time monitoring of the capacity and availability of online services to ensure they can handle traffic a... | |
| Annex A 8.21 | Annex A 8.21 requires security mechanisms, service levels and service requirements for network services to be identified, implemented and... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.