GRCWatch
Sign inStart free trial

SOC 2 A1.1: Capacity and Performance Monitoring

Capacity and performance monitoring ensures your systems can handle current and future demand without degradation. A1.1 requires you to continuously assess how your infrastructure, data, and software are being utilized—and plan for growth before you hit a wall. This control is foundational to maintaining system availability and supporting your entity's objectives.

What this means

You must establish ongoing processes to measure and track how your system components—including servers, storage, databases, and applications—are performing under current load. This includes identifying bottlenecks, forecasting future capacity needs, and documenting your monitoring activities. The goal is to prevent performance issues and service interruptions by maintaining visibility into resource utilization and acting before capacity limits are reached.

How to comply

  1. 1.Define key performance indicators (KPIs) for infrastructure, data, and software components (CPU, memory, disk, network bandwidth, query response times).
  2. 2.Implement automated monitoring tools to collect performance metrics in real-time across all critical systems.
  3. 3.Establish baseline performance thresholds and alert triggers for capacity utilization (e.g., alert at 75% CPU usage).
  4. 4.Review monitoring data at least monthly to identify trends, bottlenecks, and capacity risks.
  5. 5.Document a capacity planning process that translates monitoring insights into infrastructure upgrades or optimizations.
  6. 6.Maintain records of capacity assessments, performance reports, and actions taken to address capacity constraints.
  7. 7.Communicate capacity status and growth projections to relevant stakeholders and decision-makers.

Evidence auditors look for

  • Monitoring dashboards showing real-time CPU, memory, disk, and network utilization across infrastructure.
  • Monthly or quarterly capacity reports with trend analysis and forecasted resource requirements.
  • Alert logs and escalation records demonstrating proactive response to capacity thresholds.
  • Infrastructure upgrade requests and implementation records tied to capacity planning activities.
  • Documentation of baseline performance metrics and how monitoring KPIs were selected.
  • Change logs showing modifications to monitoring thresholds based on business growth.
  • Meeting notes or minutes from capacity planning reviews with IT leadership.
  • Vendor performance reports (if using third-party hosting or SaaS platforms) included in capacity assessments.

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates capacity monitoring data collection and generates compliance-ready reports, eliminating manual metric gathering and ensuring your A1.1 monitoring activities are auditable and up-to-date.

See how GRCWatch handles this control automatically

Start free trial