How do you implement A.8.6 in Microsoft 365?

A.8.6 Capacity Management can be implemented in Microsoft 365 using Azure Portal (portal.azure.com) > Monitor > Alerts, Advisor > Performance; Microsoft 365 Admin Center (admin.microsoft.com) > Reports > Usage. Contact Global Micro Solutions for a detailed implementation guide.

What does an auditor check for A.8.6?

Auditors verify that A.8.6 Capacity Management is properly implemented by reviewing evidence from your M365 tenant, checking configuration against ISO 27001 requirements, and validating compliance documentation.

ISO 27001 A.8.6: Capacity Management — M365 Implementation Guide | Global Micro Solutions

What is this control?

ISO 27001:2022 Annex A Control 8.6 requires organisations to ensure sufficient capacity (processing, storage, network, and human resources) is available to meet current and future business demands. This control focuses on proactive capacity monitoring to prevent service degradation, implementing alerting mechanisms for resource thresholds, and regular review of capacity utilisation to support business continuity and performance requirements.

How to implement in Microsoft 365

Implementing A.8.6 (Capacity Management) involves a layered monitoring approach:

Azure Infrastructure Monitoring: Configure Azure Monitor alerts for VM CPU, memory, disk IOPS, and network throughput. Use Azure Advisor to identify performance optimisation opportunities.

M365 Platform Monitoring: Monitor SharePoint and OneDrive storage quotas via Microsoft 365 Admin Center. Review M365 Service Health dashboard for service availability.

Threshold Alerting: Set capacity alerts at 80% warning and 90% critical thresholds for storage and compute resources.

Regular Reviews: Conduct quarterly Azure Advisor reviews and monthly VM resource utilisation assessments. Include human resource capacity in management reviews.

Network Capacity: Monitor network bandwidth utilisation and Global Secure Access (GSA) performance metrics.

What an auditor looks for

Auditors will expect evidence of:

Proactive Monitoring: Configured alerts for capacity thresholds across compute, storage, and network resources demonstrating prevention rather than reaction.
Regular Reviews: Documentation of periodic capacity reviews (monthly/quarterly) with actions taken to address identified constraints.

M365 Platform Oversight: Evidence that cloud platform capacity (SharePoint, OneDrive quotas) is monitored and managed within acceptable limits.

Azure Advisor Usage: Proof that Azure Advisor recommendations are reviewed and actioned, particularly performance-related guidance.
Human Resources: Evidence that technical staff capacity is considered in management reviews to ensure adequate resources for security operations.

Trend Analysis: Capacity trending data to demonstrate forward planning for future resource requirements.