A.8.6 — Capacity Management

Friday afternoon, the database server runs out of disk space. Logging stops, transactions fail, and the application returns errors to every user. The monitoring dashboard showed the trend for weeks — disk usage growing 2% per day — but nobody was watching. A.8.6 requires organizations to monitor, forecast and manage the capacity of their resources before shortages cause incidents.

Capacity management is a preventive and detective control. It covers IT infrastructure (CPU, memory, storage, bandwidth), human resources and physical facilities. The goal: ensure that resources meet current and projected demand.

What does the standard require?

Monitor current usage. Track resource utilization for all critical systems — CPU, memory, storage, network bandwidth, licence counts.
Forecast future demand. Analyse usage trends and plan for growth, seasonal peaks and new projects.
Define thresholds and alerts. Set warning thresholds (e.g., 80% disk usage) that trigger alerts before resource exhaustion occurs.
Plan capacity expansions. For resources with long lead times (hardware procurement, facility expansion, hiring), start planning early.
Reduce demand where possible. Decommission unused systems, archive old data and optimize inefficient processes.

In practice

Set up monitoring dashboards. Use tools like Prometheus/Grafana, Datadog, Zabbix or cloud-native monitoring (CloudWatch, Azure Monitor) to track resource utilization in real time. Create dashboards for each critical system showing current usage and trends.

Define alert thresholds. Warning at 80%, critical at 90% for storage. Similar thresholds for CPU (sustained), memory and licence utilization. Alerts feed into your incident management process.

Conduct quarterly capacity reviews. Once per quarter, review usage trends across all critical systems. Identify systems approaching thresholds, estimate time to exhaustion and plan corrective actions. Document the review results.

Plan for peak loads. If your business has seasonal patterns (year-end closing, Black Friday, enrollment periods), model peak demand and verify that capacity is sufficient. Load testing validates the model.

Typical audit evidence

Auditors typically expect the following evidence for A.8.6:

Monitoring dashboard — screenshots or live access showing resource utilization (see IT Operations Policy in the Starter Kit)
Alert configuration — documented thresholds and escalation paths
Capacity review records — quarterly review documentation with forecasts and actions
Capacity plan — documented plan for resource expansions or optimizations
Incident records — evidence that capacity-related incidents were addressed

KPI

Percentage of critical systems with monitored capacity and defined thresholds

Measured as a percentage: how many of your critical systems have active monitoring with defined warning thresholds? Target: 100%.

Supplementary KPIs:

Number of capacity-related outages per quarter (target: zero)
Mean time between threshold alert and corrective action
Percentage of capacity forecasts that proved accurate within 10%

BSI IT-Grundschutz

A.8.6 maps to BSI modules for IT operations and monitoring:

OPS.1.1.1 (General IT Operations) — requires monitoring of system resources, capacity planning and documented thresholds.
SYS.1.1 (General Server) — server-specific capacity monitoring requirements.
NET.1.1/NET.1.2 (Network Architecture, Network Management) — capacity monitoring for network infrastructure.

A.8.14 — Redundancy of Information Processing Facilities: Redundancy addresses availability when capacity is exceeded; capacity management prevents reaching that point.
A.8.15 — Logging: Log storage is a significant capacity consumer that must be planned.
A.8.16 — Monitoring Activities: Monitoring infrastructure itself requires capacity planning.

Sources

ISO/IEC 27001:2022 Annex A, Control A.8.6 — Capacity management
ISO/IEC 27002:2022 Section 8.6 — Implementation guidance for capacity management
BSI IT-Grundschutz, OPS.1.1.1 — General IT Operations

Frequently asked questions

Does A.8.6 only cover IT systems?

No. The control explicitly covers information processing facilities, human resources, offices and other facilities. If your security team is understaffed, that is a capacity issue under A.8.6.

How does capacity management relate to availability?

Running out of disk space, memory or network bandwidth causes outages. Capacity management is a preventive measure that ensures availability by detecting resource exhaustion before it causes downtime.

Is auto-scaling in the cloud sufficient for A.8.6?

Auto-scaling addresses the reactive side, but A.8.6 also requires forecasting and planning. You still need to monitor trends, define thresholds and plan for scenarios where auto-scaling alone is insufficient (e.g., budget limits, vendor quotas).

Responsible	IT Administrator
Accountable	Head of IT
Consulted	Asset Owner, Department Head, HR Manager, Head of IT, IT Administrator, IT Security Officer, Legal Counsel, Software Developer / Architect, Supply Chain Manager
Informed	All Employees, Department Head, Facility Manager, Head of IT, IT Security Officer, Top Management