Capacity Management for Resource Use
Ensure resources are monitored and adjusted to meet current and future needs to prevent system slowdowns or failures.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Preventative
🧱 ISO 27001 domain
Organisational controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 Maturity levels
N/A
The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.
Source: ISO/IEC 27001:2022
Plain language
Capacity management is about keeping an eye on all the resources you use, like your computers and internet, to make sure they can handle how busy your business might get. If this isn't done, your systems could slow down or even crash, leading to loss of productivity and frustrated customers.
Why it matters
Poor capacity management can lead to critical system slowdowns or failures during peak times, disrupting operations and damaging customer trust.
Operational notes
Implement capacity monitoring and trend reporting to forecast demand spikes and scale compute, storage and network resources before bottlenecks occur.
Implementation tips
- IT Manager should regularly review the current capacity of IT resources, such as servers and bandwidth, to ensure they can meet business demands. They can do this by tracking system usage and performance trends using simple tools or dashboards, making adjustments before there are problems, such as obtaining additional infrastructure if needed, as suggested by ISO 27002:2022.
- Operations Manager should identify future capacity needs based on planned business changes or expected growth. This means talking to stakeholders about future projects or marketing initiatives and creating a forecast of resource needs. Consider what needs might arise from these changes, focusing especially on resources that take time to set up, like hiring new staff or expanding facility space.
- Procurement team should be ready to acquire additional resources quickly. They should establish relationships with suppliers who can deliver equipment or services at short notice, and maintain a list of preferred vendors for cloud services to leverage scalability features as highlighted in ISO 27002:2022.
- HR should plan for human resource capacity changes, such as upcoming retirements or skill requirements. They should keep a skills inventory and succession plans, so when capacity becomes tight, necessary personnel are already lined up or trained.
- Resource Managers should create and maintain a documented capacity management plan for critical systems. This should outline strategies for both scalability and reducing resource demand, such as cloud resource scaling or data archiving, to ensure essential systems continue to operate effectively under varying loads.
Audit / evidence tips
-
Ask: Capacity management plans and resource usage reports.
Good: Plans include clear strategies for monitoring and adjusting capacity to meet both current and anticipated demands.
-
Ask: Records of system stress testing results and follow-up actions.
Good: Test results identify any shortcomings and show concrete steps taken to address them to ensure system reliability during peak times.
-
Ask: Procurement records for recent acquisitions of IT infrastructure.
Good: Records show proactive acquisitions matching the capacity plan timelines, preventing last-minute scrambles.
-
Ask: Personnel records and training logs.
Good: Records indicate staff levels and skills are managed in line with capacity needs, with regular updates and training plans.
-
Ask: Employee surveys or feedback regarding system performance.
Good: Feedback shows either no issues or identified issues are addressed promptly with documented action plans.
Cross-framework mappings
How Annex A 8.6 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| ISM-2090 | ISM-2090 requires rate limiting to be applied to AI model inference queries to prevent overuse and manage service availability | |
| ISM-2091 | ISM-2091 requires organisations to enforce resource limits specifically for artificial intelligence models to prevent excessive consumption | |
| Partially overlaps (3) | ||
| ISM-1431 | ISM-1431 requires discussions with cloud service providers about DoS resilience, including capacity to withstand attacks and thresholds t... | |
| ISM-1579 | ISM-1579 requires organisations to discuss and verify that a cloud service provider can dynamically scale resources to handle genuine dem... | |
| ISM-1581 | ISM-1581 requires continuous real-time monitoring of the capacity and availability of online services to ensure they can handle traffic a... | |
| Supports (2) | ||
| ISM-0120 | Annex A 8.6 requires monitoring of resource use and subsequent adjustment to prevent performance degradation or outages | |
| ISM-0518 | ISM-0518 requires comprehensive network documentation to support network management activities | |