Capacity planning and autoscaling
Demonstrate that infrastructure capacity planning processes and autoscaling mechanisms are configured, tested, and monitored to maintain availability and performance under variable load conditions while preventing resource exhaustion.
Description
What this control does
Capacity planning and autoscaling controls ensure that systems can dynamically adjust compute, storage, and network resources to meet demand without manual intervention, while preventing resource exhaustion attacks and service degradation. This involves setting predictive baselines for normal resource consumption, configuring automatic scaling policies with upper and lower bounds, and establishing monitoring thresholds that trigger scaling events before performance degrades. The control protects availability during traffic spikes, whether legitimate or malicious, and prevents cost overruns from unbounded scaling.
Control objective
What auditing this proves
Demonstrate that infrastructure capacity planning processes and autoscaling mechanisms are configured, tested, and monitored to maintain availability and performance under variable load conditions while preventing resource exhaustion.
Associated risks
Risks this control addresses
- Denial of service attacks overwhelming fixed-capacity resources leading to service outages
- Resource exhaustion from legitimate traffic spikes causing application crashes or timeouts
- Cost overruns from improperly configured autoscaling policies that scale without upper limits
- Performance degradation during scaling events due to slow provisioning or insufficient warm-up time
- Single points of failure where autoscaling is unavailable or misconfigured for critical components
- Data loss or state corruption when stateful services scale down without proper session draining
- Lateral movement opportunities created when emergency capacity is provisioned without security hardening
Live threat patterns this control mitigates:
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's capacity planning documentation including baseline resource utilization metrics, growth projections, and scaling thresholds for production systems
- Collect autoscaling policy configurations from cloud platforms or orchestration tools, including minimum and maximum instance counts, scaling triggers, cooldown periods, and target utilization metrics
- Interview infrastructure teams to understand how capacity forecasts are developed, reviewed, and updated in response to business growth or architectural changes
- Select a representative sample of critical services and verify that autoscaling policies are enabled and configured with appropriate thresholds and limits
- Review monitoring dashboards and alerting rules to confirm that resource utilization, scaling events, and threshold breaches trigger notifications to operations teams
- Examine records of recent scaling events including timestamps, trigger conditions, resource provisioning times, and any incidents or performance impacts during scaling
- Request evidence of load testing or chaos engineering exercises that validate autoscaling behavior under simulated traffic spikes or resource exhaustion scenarios
- Verify that autoscaling configurations include safeguards such as maximum instance caps, cost alerts, and security baseline enforcement for newly provisioned resources