In July 2024, enterprises around the world experienced one of the worst IT outages in history. A single flaw in a routine security software update crashed more than 8.5 million systems in airlines, hospitals, financial organizations, and government agencies.
When Amazon Web Services experienced a nine-hour outage in December 2021, it took countless websites, apps, and delivery platforms offline at the same time. These examples highlight why SOC 2 availability requirements are something every organization should take seriously.
What Is Availability in SOC 2 Compliance?
The SOC 2 framework defines availability as ensuring “information and systems are available for operation and use to meet the entity’s objectives.” In other words, availability means keeping your system operational and providing authorized users with access on demand.
The SOC 2 availability criteria can apply to any type of technology or digital resource:
- Computer systems
- Networks
- Servers
- Applications
- SaaS platforms
- Payment gateways
- Cloud computing and storage resources
- Digital files and folders
Imagine how frustrating online purchases would be if credit card processing only worked some of the time. Or what if your antivirus program only blocked malware from Monday to Friday? Instead, these systems are designed to provide 99.9% uptime.
What Are the SOC 2 Trust Services Criteria?
There are five pillars in the SOC 2 framework: security, availability, processing integrity, confidentiality, and privacy. These principles are known as the Trust Services Criteria. Together, they form the foundation of a secure system for organizations of any size.
What Are SOC 2 Availability Requirements?
The SOC 2 availability TSC consists of three audit controls that evaluate your system’s performance and uptime. To understand how they affect your organization, you need to analyze each one individually.
A1.1 — Capacity Monitoring and Management
The framework says: “The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.”
What this means: Your organization needs to use an infrastructure monitoring tool to continuously track metrics, including memory utilization, disk I/O, CPU utilization, error rates, response times, and other indicators of system performance. SOC 2 compliance requires having capacity management processes in place with target thresholds, contingencies for user growth, and plans for hardware or software expansion.
A1.2 — Disaster Recovery and Business Continuity
The framework says: “The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.”
What this means: Good cybersecurity hygiene for your business requires disaster recovery plans, data loss prevention policies, and necessary technology to keep your systems up and running in worst-case scenarios. For example, properly configured data backup software can help you restore system data after a ransomware attack. If you maintain on-prem servers, you should have backup systems in place (e.g., distributed cloud backups) in case of fire or flooding.
A1.3 — Emergency Testing
The framework says: “The entity tests recovery plan procedures supporting system recovery to meet its objectives.”
What this means: Creating plans for availability issues, emergencies, and disasters is important, but there’s no substitute for real-world testing. Periodic assessments are necessary to see how your employees, software configurations, network resources, and DLP tools actually perform. Testing can reveal weaknesses or unexpected side effects you need to correct before a real emergency happens.
What Does Availability Mean in Cybersecurity?
Availability is a pillar of data security best practices, part of the well-known CIA triad of confidentiality, integrity, and availability.
More than ever before, customers expect availability. Systems need to work 24/7, 365 days a year.
Continuous uptime is essential for nearly every industry and business:
- Manufacturing: Equipment crashes can force production shutdowns to the tune of millions of dollars. Unplanned downtime costs automotive manufacturers more than $20,000 a minute.
- Transportation: If GPS tracking systems, logistics tools, or order fulfillment software go down, supply chain operations struggle to meet client demands.
- Sales and retail: Failures in payment terminals or website functionality result in lost sales every second.
- Finance: Network issues can paralyze financial transactions, block login attempts, and make banks or traders vulnerable.
Cloud platforms that suffer even brief outages cause massive problems for users and business operations.
Network Availability
Availability also means that your network, software platform, website, and servers are capable of handling traffic. Cyber preparedness includes planning for likely increases in web traffic, such as Black Friday.
Aside from having good defenses against malware, you also need to make sure your cybersecurity includes technology and processes for mitigating distributed denial-of-service attacks, SYN floods, botnets, and even AI models that can overwhelm websites trying to scrape content.
Should You Include the SOC 2 Availability Criteria in Your Audit?
Unlike the framework’s security controls, SOC 2 availability criteria aren’t mandatory for SOC 2 Type 2 audits. It’s your call whether to add availability to the audit scope. When is it a good idea?
SaaS Platforms
Availability is a key factor that SaaS customers look for. Enterprises want to know that your solutions are reliable. Including availability in your SOC 2 report is highly recommended for software developers.
Continuous Services
The availability TSC should be a priority if your company offers IT, helpdesk, support, data processing, network monitoring, or other 24/7 business services. It improves your operations and puts users at ease.
Data Storage
Data centers, cloud computing, cloud security, web hosting, and infrastructure-as-a-service companies should include availability in the scope of SOC 2 testing. When comparing larger providers like AWS and specialized services, reliability is one of the main deciding factors customers evaluate.
How Can You Implement the Availability TSC in Your Operations?
Good planning is vital for maintaining system uptime, from conducting periodic risk assessments to developing a consistent maintenance schedule for hardware and software. Technology plays a significant role in SOC 2 availability requirements, helping you mitigate threats, recover from disasters, and stay up to date with cybersecurity advancements. Compliance management platforms, such as Compyl offer valuable insights into your workflow and help you correct bottlenecks.
Discover powerful solutions for SOC 2 certification today.
