Capacity Management for Resource Use
Ensure resources are monitored and adjusted to meet current and future needs to prevent system slowdowns or failures.
Plain language
Capacity management is about keeping an eye on all the resources you use, like your computers and internet, to make sure they can handle how busy your business might get. If this isn't done, your systems could slow down or even crash, leading to loss of productivity and frustrated customers.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
12 Apr 2026
Maturity levels
N/A
Official control statement
The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.
Why it matters
Poor capacity management can lead to critical system slowdowns or failures during peak times, disrupting operations and damaging customer trust.
Operational notes
Implement capacity monitoring and trend reporting to forecast demand spikes and scale compute, storage and network resources before bottlenecks occur.
Implementation tips
- IT Manager should regularly review the current capacity of IT resources, such as servers and bandwidth, to ensure they can meet business demands. They can do this by tracking system usage and performance trends using simple tools or dashboards, making adjustments before there are problems, such as obtaining additional infrastructure if needed, as suggested by ISO 27002:2022.
- Operations Manager should identify future capacity needs based on planned business changes or expected growth. This means talking to stakeholders about future projects or marketing initiatives and creating a forecast of resource needs. Consider what needs might arise from these changes, focusing especially on resources that take time to set up, like hiring new staff or expanding facility space.
- Procurement team should be ready to acquire additional resources quickly. They should establish relationships with suppliers who can deliver equipment or services at short notice, and maintain a list of preferred vendors for cloud services to leverage scalability features as highlighted in ISO 27002:2022.
- HR should plan for human resource capacity changes, such as upcoming retirements or skill requirements. They should keep a skills inventory and succession plans, so when capacity becomes tight, necessary personnel are already lined up or trained.
- Resource Managers should create and maintain a documented capacity management plan for critical systems. This should outline strategies for both scalability and reducing resource demand, such as cloud resource scaling or data archiving, to ensure essential systems continue to operate effectively under varying loads.
Audit / evidence tips
-
AskCapacity management plans and resource usage reports.
GoodPlans include clear strategies for monitoring and adjusting capacity to meet both current and anticipated demands.
-
AskRecords of system stress testing results and follow-up actions.
GoodTest results identify any shortcomings and show concrete steps taken to address them to ensure system reliability during peak times.
-
AskProcurement records for recent acquisitions of IT infrastructure.
GoodRecords show proactive acquisitions matching the capacity plan timelines, preventing last-minute scrambles.
-
AskPersonnel records and training logs.
GoodRecords indicate staff levels and skills are managed in line with capacity needs, with regular updates and training plans.
-
AskEmployee surveys or feedback regarding system performance.
GoodFeedback shows either no issues or identified issues are addressed promptly with documented action plans.
Cross-framework mappings
How Annex A 8.6 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-2091 | ISM-2091 requires organisations to enforce resource limits specifically for artificial intelligence models to prevent excessive consumption | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-1431 | Annex A 8.6 requires resource use to be monitored and adjusted to meet current and forecast capacity requirements to avoid degradation or... | |
| ISM-1579 | Annex A 8.6 requires monitoring of resource use and adjustment in line with current and expected capacity requirements | |
| ISM-1581 | ISM-1581 requires continuous real-time monitoring of the capacity and availability of online services to ensure they can handle traffic a... | |
| handshake Supports (3) expand_less | ||
| ISM-0120 | Annex A 8.6 requires monitoring of resource use and subsequent adjustment to prevent performance degradation or outages | |
| ISM-0518 | ISM-0518 requires comprehensive network documentation to support network management activities | |
| ISM-2090 | Annex A 8.6 requires monitoring and adjustment of resource use to prevent performance degradation or failures due to capacity shortfalls | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.