In this guide, I will show you exactly how to implement ISO 27001 Annex A 8.6 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 8.6 Capacity Management
ISO 27001 Annex A 8.6 requires organizations to monitor and adjust the use of resources to ensure they meet current and future capacity requirements. Often mistaken for a simple “IT performance” task, this control is actually about Availability, ensuring your systems don’t crash because they ran out of disk space, memory, or even human staff. It moves the organization from being reactive (“The system is down!”) to being proactive (“We need to upgrade in three months”).
Core requirements for compliance include:
- Identify Critical Resources: You must define what “capacity” means for your business. This typically includes technical resources (CPU, disk space, bandwidth), human resources (staff levels), and physical facilities (office space, power).
- Monitoring & Thresholds: You shouldn’t wait for a failure. You must implement tools to monitor usage and set “triggers” or alerts (e.g., an alert when a database is 80% full).
- Trend Analysis: Compliance requires looking forward. You should analyze usage patterns to predict when you will run out of resources, allowing time for procurement and implementation.
- Tuning and Adjustment: When a threshold is hit, you must have a plan to respond, whether that’s deleting old data, auto-scaling in the cloud, or hiring additional contractors.
Audit Focus: Auditors will look for “The Alerting Trail”:
- Proof of Monitoring: “Show me the dashboard where you track server CPU or cloud storage usage.”
- The Trigger: “Show me an example of an alert that fired recently. How did you respond to it?”
- Future Planning: “Show me your last capacity review meeting notes or report. How are you planning for growth next year?”
Capacity Monitoring Strategy (Reactive vs. Proactive):
| Resource | Reactive (Audit Fail) | Proactive (Audit Pass) |
| Disk Space | “The server crashed because the disk is full.” | “Alerts notify us when the disk reaches 80% capacity.” |
| Cloud Hosting | “Why is our AWS bill so high this month?” | “Auto-scaling limits and cost alerts are configured.” |
| Staffing | “Everyone is burnt out and making mistakes.” | “Utilisation reports show we need a new hire next quarter.” |
| Bandwidth | “The internet is lagging during Zoom calls.” | “Traffic shaping prioritizes video calls over large downloads.” |
Table of Contents
- Key Takeaways: ISO 27001 Annex A 8.6 Capacity Management
- What is ISO 27001 Annex A 8.6?
- ISO 27001 Annex A 8.6 Free Training Video
- ISO 27001 Annex A 8.6 Explainer Video
- ISO 27001 Annex A 8.6 Podcast
- How to implement ISO 27001 Annex A 8.6
- Capacity Monitoring Strategy Example
- How to pass an ISO 27001 Annex A 8.6 audit
- Top 3 ISO 27001 Annex A 8.6 mistakes and how to avoid them
- Fast Track Compliance with the ISO 27001 Toolkit
- Related ISO 27001 Controls
- Further Reading
- ISO 27001 Controls and Attribute Values
What is ISO 27001 Annex A 8.6?
ISO 27001 Annex A 8.6 is about capacity management which means you must identify your capacity requirements and ensure you meet them.
ISO 27001 Annex A 8.6 Capacity Management is an ISO 27001 control that looks to make sure you have the resources you need to the things that you need to do.
ISO 27001 Annex A 8.6 Purpose
The purpose of ISO 27001 Annex A 8.6 Capacity Management is to ensure the required capacity of information processing facilities, human resources, offices and other facilities.
ISO 27001 Annex A 8.6 Definition
The ISO 27001 standard defines ISO 27001 Annex A 8.6 as:
The use of resources should be monitored and adjusted in line with current and expected capacity requirements.
ISO 27001:2022 Annex A 8.6 Capacity Management
ISO 27001 Annex A 8.6 Free Training Video
In the video ISO 27001 Capacity Management Explained – ISO27001:2022 Annex A 8.6 I show you how to implement it and how to pass the audit.
ISO 27001 Annex A 8.6 Explainer Video
In this beginner’s guide to ISO 27001 Annex A 8.6 Capacity Management, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.
ISO 27001 Annex A 8.6 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 8.6 Capacity Management. The podcast explores what it is, why it is important and the path to compliance.
How to implement ISO 27001 Annex A 8.6
With capacity management we are looking to make sure that we have enough resources to perform and deliver our products and services. There are varying degrees and levels of management depending on how complex you are, how complex your setup is, the organisation and your risk.
Resources to manage
The kinds of traditional capacity management and resources we would consider are things like storage space, disk space, CPU usage, memory usage, network bandwidth. You also have capacity in your staffing and also in your connected utilities.
Basically anything you use will have a capacity and a limit.
The 4 Stage Implementation Process
You are going to identify the resources that you need and use and are important to you. For those you perform a risk assessment and build controls based on risk. Upper limits need to be defined and thresholds set that trigger alerts with action plans that are activated when the threshold is triggered.
The four stages of implementation are:
- Identify and Assess: identify critical resources and conduct a risk assessment of capacity requirements
- Define and Plan: Develop a capacity management plan and define upper limits and action thresholds
- Monitor and Alert: Implement continuous monitoring of resource use against defined thresholds and trigger automated alerts
- Adjust and Respond: Execute pre defined action plans when thresholds are reached and document all adjustements
Capacity Monitoring Strategy Example
| Resource | Reactive (Bad) | Proactive (Good / ISO Compliant) |
| Disk Space | “The server stopped because the disk is full.” | “Alert when disk is 80% full.” |
| CPU Load | “The app is slow right now.” | “Trend analysis shows we need a CPU upgrade in 3 months.” |
| Cloud Costs | “Why is the AWS bill so high?” | “Auto-scaling limits set to prevent cost spikes.” |
| Bandwidth | “The internet is lagging.” | “Traffic shaping prioritizes Zoom calls over downloads.” |
How to pass an ISO 27001 Annex A 8.6 audit
Time needed: 1 day
How to comply with ISO 27001 Annex A 8.6
- Have procedures in place
Write, approve, implement and communicate the documentation required for capacity management.
- Assess your capacity requirements and perform a risk assessment
Conduct a risk assessment and work out what your capacity requirements are.
- Implement controls proportionate to the risk posed
Based on the risk and requirements implement the controls that are proportionate. Set upper limits for capacity, implement triggers and put in places processes to respond to those triggers and alerts.
- Keep records
For audit purposes you will keep records. Examples of the records to keep include changes, updates, monitoring, review and audits.
- Test the controls that you have to make sure they are working
Perform internal audits that include the testing of the controls to ensure that they are working.
Top 3 ISO 27001 Annex A 8.6 mistakes and how to avoid them
The top 3 mistakes people make for ISO 27001 Annex A 8.6 are
1. You have no capacity management plan
This usual things here that go wrong are when people don’t actually know what resources they need or what they are using or what they have. Identify your resource requirements, record what you are using, what you need, what the trigger thresholds are to take action.
2. You have not acted on plan
Having a plan and not using it is worse than no plan at all. Be sure to follow the plan and be able to evidence that you are reviewing and acting on capacity reports.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Fast Track Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 8.6 (Capacity management), the requirement is to ensure that the use of resources is monitored and adjusted in line with current and expected capacity requirements. Many organizations are misled into thinking they need a complex SaaS platform to “track” their server loads or bandwidth.
The reality is that a compliance SaaS platform cannot manage your capacity; it can only host a document saying that you do. The High Table ISO 27001 Toolkit is the logical, time-saving solution because it provides the governance framework, the policies, capacity plans, and review logs, that prove to an auditor you are managing resources effectively, without the unnecessary “subscription trap.”
1. Ownership: You Own Your Capacity Strategy Forever
SaaS platforms act as a middleman for your compliance data. If you define your capacity thresholds and store your review history inside their proprietary system, you are essentially renting your own operational history.
- The Toolkit Advantage: You receive the Capacity Management Policy and Capacity Plan Template in fully editable Word/Excel formats. These are yours forever. You maintain permanent ownership of your strategy and audit history on your own systems, ensuring you are audit-ready without an ongoing monthly bill.
2. Simplicity: Governance for the Tools You Already Use
Annex A 8.6 is about the oversight of resource use. You don’t need a complex new software interface to manage what your existing cloud consoles (like AWS CloudWatch, Azure Monitor, or Google Cloud Quotas) already show you.
- The Toolkit Advantage: Your technical team already monitors CPU, RAM, and storage. What they need is the governance layer to prove to an auditor that these metrics are reviewed and that future growth is planned. The Toolkit provides pre-written templates and checklists that formalize your existing technical data into an auditor-ready framework, without forcing your team to learn a new software platform.
3. Cost: A One-Off Fee vs. Expensive “Per-Resource” Licensing
Many compliance SaaS platforms charge more as your infrastructure grows or the number of “assets” you monitor increases. For a control that scales with your business growth, these monthly costs can become a significant financial burden.
- The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you are managing capacity for one server or a global cloud infrastructure, the cost of your Capacity Management Documentation remains the same. You save your budget for actual infrastructure scaling rather than an expensive compliance dashboard.
4. Freedom: No Vendor Lock-In for Your Infrastructure
SaaS compliance tools often have limited integrations or mandate specific ways to report capacity. If your modern serverless or hybrid architecture doesn’t fit their rigid model, the tool becomes a bottleneck.
- The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can edit the Capacity Procedures to match any technical environment. You maintain total freedom to evolve your infrastructure, moving from on-prem to cloud or shifting vendors, without being constrained by the technical limitations of a rented SaaS platform.
Summary: For Annex A 8.6, the auditor wants to see that you have a policy for capacity and proof that you plan for the future. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
Related ISO 27001 Controls
ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation
ISO 27001 Clause 7.1 Resources
ISO 27001 Clause 6.1.1 Planning General
Further Reading
ISO 27001 Risk Management Policy Template
ISO 27001 Controls and Attribute Values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Availability | Protect | Continuity | Protection |
| Detective | Integrity | Governance and Ecosystem | ||
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
