Skip to contentCYBERINFO
|

Control 8.6 : Capacity Management

Summary

The use of resources should be monitored and adjusted in line with current and expected capacity requirements. This ensures that the organization's information systems remain available and performant, preventing service disruptions due to resource exhaustion.

Applicability

In-Scope: Mandatory for all organizations to ensure that critical business applications and storage do not reach capacity limits. It is essential for maintaining the availability pillar of the security triad.

Out-of-Scope: Never out-of-scope, though the focus shifts toward cloud consumption metrics in modern environments.

Implementation Guidance

Microsoft 365 / Entra ID

  • Monitoring: Utilize the Microsoft 365 Admin Center usage reports to monitor storage limits for SharePoint Online and OneDrive for Business.

  • Alerts: Configure Azure Monitor alerts to notify the technical team when cloud storage, database sizes, or virtual machine utilization reach 80% capacity.

  • Scaling: Leverage the auto-scaling capabilities of Azure App Services and Virtual Machine Scale Sets to automatically handle spikes in traffic without manual intervention.

Evidence Checklist

  • Capacity Management Plan: A document or strategy defining how the organization monitors and plans for technical growth.

  • Performance Reports: Evidence of regular reviews of system performance and resource utilization.

  • Threshold Configurations: Documentation of the specific alert thresholds set within the Microsoft tenant to prevent resource exhaustion.

Practical Audit Advice

Here are some questions the auditor might ask:

  • What is the process for identifying which systems are nearing their capacity limits before a service failure occurs?

  • How does the organization plan for future capacity needs, such as an increase in staff or the deployment of a new data-intensive application?

  • Can you demonstrate that an alert was triggered and addressed when a storage or compute threshold was recently reached?

  • How do you manage "Cloud Sprawl" to ensure that unused resources are decommissioned to maintain efficiency?