FAQ: What is covered in the Availability criteria?

FAQ: What is covered in the Availability criteria?

The availability criteria addresses how you go about ensuring the in-scope data and systems stay online and recoverability should go awry.

  1. Disaster recovery: An organization should have a plan in place to recover from a disaster or other catastrophic event that could impact the availability of its systems and data. This might include measures such as redundant systems, backup and recovery procedures, and testing to ensure that these measures are effective.
  2. Maintenance: An organization should have a process in place for performing maintenance on its systems in a way that minimizes the impact on availability. This might include scheduling maintenance during off-peak hours, performing maintenance on a rolling basis to minimize disruption, and providing advance notice of planned maintenance to users.
  3. Performance monitoring: An organization should have a system in place for monitoring the performance of its systems and data to ensure that they are available and functioning properly. This might include monitoring response times, error rates, and other performance metrics.
  4. Capacity planning: An organization should have a process in place for ensuring that its systems and data have the capacity to meet the needs of its users. This might involve identifying future capacity needs and implementing measures to meet those needs, such as adding hardware or upgrading software.

Additional FAQs

Can I fail a SOC 2 audit?

Yes, failure to meet the relevant Trust Service Criteria may result in a failed SOC 2 audit, requiring remediation. This is known as a Qualified Opinion when this happens.

What is a SOC 2?

The Service and Organization Controls 2 Report, formally known as a Service Organization Controls Report as of the most recent update to the SSAE 18 audit standard. A SOC 2 report

SOC 1 Report – Who needs it?

Organizations that handle financial transactions, especially those impacting external financial statements, are good examples of those who need SOC1 audits.

We have a SOC 2. How much effort is GDPR?

Assuming your Company is subject to GDPR, the level of effort depends a lot on the maturity of Organizational and Privacy controls. The Organizational will be mostly met by implementation

What is SSAE 18 (formerly SSAE 16)?

A SOC 1 Type 1 report typically costs on average anywhere between $10,000 and $20,000 USD, without the readiness assessment project which most Organizations benefit from and can be an

Get Our Emails

SOC Reporting Guide