FAQ: What is covered in the Availability criteria?

FAQ: What is covered in the Availability criteria?

The availability criteria addresses how you go about ensuring the in-scope data and systems stay online and recoverability should go awry.

  1. Disaster recovery: An organization should have a plan in place to recover from a disaster or other catastrophic event that could impact the availability of its systems and data. This might include measures such as redundant systems, backup and recovery procedures, and testing to ensure that these measures are effective.
  2. Maintenance: An organization should have a process in place for performing maintenance on its systems in a way that minimizes the impact on availability. This might include scheduling maintenance during off-peak hours, performing maintenance on a rolling basis to minimize disruption, and providing advance notice of planned maintenance to users.
  3. Performance monitoring: An organization should have a system in place for monitoring the performance of its systems and data to ensure that they are available and functioning properly. This might include monitoring response times, error rates, and other performance metrics.
  4. Capacity planning: An organization should have a process in place for ensuring that its systems and data have the capacity to meet the needs of its users. This might involve identifying future capacity needs and implementing measures to meet those needs, such as adding hardware or upgrading software.

Additional FAQs


The SOC 1 has a completely different purpose than HITRUST. Typically a company would perform both if they are a TPA processing medical claims and other claims, where, there is

What are the costs of SOC 2?

There are a lot of factors that go into responding to this question. There are audit, consulting, software, internal resources, and other factors to consider which can easily grow from

What is SSAE 18 (formerly SSAE 16)?

A SOC 1 Type 1 report typically costs on average anywhere between $10,000 and $20,000 USD, without the readiness assessment project which most Organizations benefit from and can be an

Are Representation Letters Required in SSAE 18?

Previously in SSAE-16 a Management Representation Letter was highly recommended and common practice, however, they were not explicitly required to be obtained except in certain existing subject matter sections. This

Get Our Emails

SOC Reporting Guide