What is SOC 2 Availability Criteria?
The Availability Criteria is one of the five Trust Services Criteria defined by the AICPA. It is an incremental criteria to the Common Criteria (also known as the Security Criteria), so you can’t do this one on its own – it’s one for extra credit. The availability criteria focuses on initiatives that your organization undertakes to meet its commitments to customers related to, well, system availability. Availability covers controls related to monitoring for system capacity, environmental controls and business continuity and disaster recovery planning. If you want to read about this from the horse’s mouth, check out pages 48-51 of the AICPA’s TSCs.
When Should the Availability Criteria Be Included Within a SOC 2?
As SOC 2 report scope is generally driven by a company’s customers’ requirements, the Availability Criteria should be considered when a company makes significant commitments to system availability whether through contracts or setting customer expectations. It allows a company to demonstrate that it is meeting these commitments to its Customers.
What are the requirements for SOC 2’s Availability Criteria?
Availability Criteria A1.1
The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
In A1.1, the focus is placed on being able to measure current system usage, forecast capacity and make changes based upon those forecasts. This is relatively easy to do when you’re using a cloud platform as they provide easy to access metrics and easy to configure alarms that will allow you to know your system usage at any point as well as the ability to auto-scale the compute resources that are provisioned for your platform. From the cloud perspective, it’s just having a plan for how you use those features in conjunction with each other. If you’re on the co-located or self-hosted server side of things, you’ll have to put more work into this as adding a physical server can take a bit more forethought and planning compared to spinning up more resources in the cloud.
Availability Criteria A1.2
The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives.
A1.2 is primarily focused on environmental controls such as identifying and responding to environmental threats (earth, wind, fire, water, (go) planet) that are often not applicable if you’re using cloud hosting. However, cloud hosting or not, you will need a plan for backing up your data, actually backing up your data, testing that your backups are valid. Additionally, you’ll need to identify DR recovery site that is geographically diverse from your production site (in cloud terms, a different region) and have a strategy for getting your data there in the event the primary production site (or region, in cloud terms) is lost.
Availability Criteria A1.3
The entity tests recovery plan procedures supporting system recovery to meet its objectives
Finally, in A1.3, it’s all about practicing the art of recovering your platform. It requires you to perform testing of your BCP/DR plan and regular testing of your backup data to confirm that it is recoverable. For the backup recovery testing, it’s one of those things that goes way back to the pulling a backup off tape risks, but it’s still relevant today, even in a tape-less cloud environment.
What Problems Could Arise From Selecting the Availability Criteria?
For the most part, selecting the Availability Criteria and implementing its requirements are fairly easy and straight forward for our clients. Where they tend to hit roadblocks is with the replication to a DR recovery site that exists in a different cloud region or a datacenter on the other side of the country. Common excuses include that the application simply wasn’t architected with that in mind or the “devops brain trust” can’t figure it out/prioritize it over things that are more fun than disaster recovery.
The Availability Criteria is the most popular incremental criteria to add as just about every SaaS provider has to deal with customers wanting assurances related to the resilience and recoverability of their data as well as the ability to use the system that they’ve subscribed to when expected. Of course, it’s an optional Criteria, but it’s also one that will validate the commitments that your customer want you to make as part of your day to day sales cycle.