Overview
Capacity Planning is the process of forecasting system resource needs to ensure infrastructure can support current and expected workloads without service degradation. It supports SOC 2 CC7.1 by proactively identifying capacity risks and ensuring timely scaling decisions are documented and reviewed.
Step-by-Step Process
Collect system usage data
The Engineering Lead gathers the last 90 days of system usage data for compute, storage, and network resources. This data is exported from monitoring and cost tools and serves as the baseline input for capacity analysis.
Role: Engineering Lead
Review historical trends
The Engineering Lead reviews usage trends to identify growth patterns, seasonal spikes, or abnormal usage. Key metrics such as average utilization, peak utilization, and month-over-month growth are summarized.
Role: Engineering Lead
Identify capacity risks
Based on trend analysis, the Engineering Lead identifies systems approaching defined utilization thresholds (e.g., sustained CPU over 70%). Identified risks are documented with impacted services and projected timelines.
Role: Engineering Lead
Forecast future capacity needs
The Engineering Lead estimates capacity requirements for the next quarter using historical growth rates and known business changes. Forecast assumptions and calculations are documented for audit traceability.
Role: Engineering Lead
Define scaling actions
For each identified risk, the Engineering Lead defines scaling or optimization actions such as adding instances, resizing databases, or implementing auto-scaling. Each action includes an owner and target completion date.
Role: Engineering Lead
Review and approve capacity plan
The completed capacity plan is reviewed in a quarterly engineering or operations meeting. Approval is documented via meeting notes or sign-off in the planning document.
Role: Engineering Lead
Store evidence and track follow-ups
All analysis outputs, forecasts, and approvals are stored in a centralized repository. Follow-up actions are tracked until completed or reassessed in the next quarterly review.
Role: Engineering Lead
What You Need Before Starting
- Read-only access to production monitoring tools (AWS Cost Explorer, Datadog)
- Last quarter’s capacity planning document or spreadsheet
- Defined utilization thresholds or SLOs
- Access to shared document repository (e.g., Google Drive, Confluence)
Evidence Your Auditor Expects
- AWS Cost Explorer usage report exported as CSV dated within the review quarter
- Datadog dashboard screenshot showing 90-day CPU and memory utilization with timestamp visible
- Quarterly capacity planning spreadsheet with forecast calculations and last modified date
- Meeting notes or approval record dated within the quarter referencing capacity planning review
How This Looks In Your Tools
AWS Cost Explorer
Log in to the AWS Console and navigate to Billing > Cost Management > Cost Explorer. In the left menu, select “Usage” and set the date range to the previous 3 months, with granularity set to Monthly.
Use the “Service” filter to review EC2, RDS, and other critical services. Export the report using the “Download CSV” option and save it with the quarter and date in the filename for audit evidence.
Datadog
Log in to Datadog and navigate to Dashboards > Dashboard List, then open the infrastructure or system performance dashboard. Set the global time selector to “Past 90 Days.”
Review widgets for CPU utilization, memory usage, disk I/O, and network throughput. Take screenshots of relevant graphs with the Datadog timestamp visible, or export data via the widget menu if available.
Spreadsheet
Open the quarterly capacity planning spreadsheet in Excel or Google Sheets. Enter historical usage data into designated tabs and verify formulas for growth rate and forecast calculations.
Update the risk register section with identified capacity concerns and planned actions. Save the file with a versioned filename (e.g., Capacity_Plan_Q2_2026.xlsx) and ensure the last modified date reflects the review period.
Common Audit Findings
- No documented capacity forecast
- This occurs when teams review usage informally but do not record forecasts. Prevent this by requiring a standardized forecast section in the quarterly capacity planning document.
- Evidence not dated within review period
- Auditors often find screenshots or reports without visible dates. Always include tool-generated timestamps or file metadata showing the quarter reviewed.
- Capacity risks identified but no actions defined
- Identifying risks without remediation plans weakens CC7.1 alignment. Ensure each risk includes a specific scaling action, owner, and target date.
- Inconsistent review frequency
- Capacity planning performed ad hoc instead of quarterly can fail control expectations. Schedule recurring quarterly reviews on the engineering calendar.