Secure Controls Framework
Download The SCF

Capacity & Performance Planning (CAP)

Domain Principle

Govern current and future capacity and performance requirements for Technology Assets, Applications, Services and Data (TAASD) to sustain reliable operations.

Domain Intent

Organizations prevent avoidable business interruptions caused by capacity and performance limitations through baselines, thresholds, forecasting, demand planning and leadership visibility into current and future performance needs.

Domain Guide

Availability failures caused by resource exhaustion are a distinct security risk category, not just an IT operations problem. When systems fail under load because nobody planned for growth or peak demand, attackers sometimes don't need to do anything; the infrastructure does the work for them. The CAP domain addresses that gap by requiring systematic forecasting, threshold monitoring and leadership visibility into performance trends.

 

The SCF's intent for CAP is to prevent avoidable business interruptions from capacity limitations. The word "avoidable" is doing work here. Unforeseeable spikes happen; failing to baseline current utilization and project forward is a governance failure, not bad luck. Organizations that lack CAP practices often discover their capacity problems during incidents, audits, or customer-facing outages, which are the worst possible times.

 

CAP is distinct from Continuous Monitoring (MON) because monitoring captures what is happening now, while capacity planning projects what will happen under future load conditions. They require different data, different analysis methods and different organizational owners. Both are necessary; neither substitutes for the other.