GRCWatch
Sign inStart free trial

PR.DS-4 Capacity Management: Maintaining System Availability

PR.DS-4 requires your organization to maintain adequate capacity across systems and infrastructure to sustain availability during normal and peak operational demands. Without proper capacity planning, you risk service degradation, downtime, and compliance failures. This guide shows SMBs how to implement and demonstrate this critical control.

What this means

Capacity management ensures your systems have sufficient resources—compute, storage, network bandwidth, and application resources—to meet current and anticipated demand. This control focuses on preventing availability failures caused by resource exhaustion. It requires monitoring usage trends, forecasting growth, and maintaining headroom to handle peak loads and unexpected spikes.

How to comply

  1. 1.Inventory all critical systems and define capacity requirements for each (CPU, memory, storage, bandwidth)
  2. 2.Establish capacity thresholds and alert triggers for resource utilization levels
  3. 3.Monitor actual usage against baselines and document findings regularly
  4. 4.Forecast capacity needs based on growth trends, business projections, and historical data
  5. 5.Document capacity planning procedures and review them at least annually
  6. 6.Maintain capacity reports showing headroom for peak demand and contingencies
  7. 7.Test the ability to scale resources during simulated high-demand scenarios

Evidence auditors look for

  • Capacity planning spreadsheets or tools tracking resource utilization trends
  • System monitoring dashboards showing CPU, memory, storage, and network metrics
  • Capacity forecast reports with growth projections and planned upgrades
  • Load testing reports demonstrating system performance under peak conditions
  • Alert configuration documentation showing thresholds for resource exhaustion
  • Meeting minutes or governance records reviewing capacity plans quarterly
  • Infrastructure upgrade records showing planned expansions before capacity limits
  • Service level agreements (SLAs) referencing availability targets and capacity buffers

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates capacity monitoring and generates compliance-ready capacity trend reports, eliminating manual spreadsheet updates and ensuring you have audit-ready documentation for PR.DS-4.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PR.IP-9 — Risk Management (incorporating capacity risk)DE.AE-1 — Anomaly Detection (detecting capacity spikes)RC.CO-3 — Recovery Communication (availability restoration)