The availability criteria addresses how you go about ensuring the in-scope data and systems stay online and recoverability should go awry.
- Disaster recovery: An organization should have a plan in place to recover from a disaster or other catastrophic event that could impact the availability of its systems and data. This might include measures such as redundant systems, backup and recovery procedures, and testing to ensure that these measures are effective.
- Maintenance: An organization should have a process in place for performing maintenance on its systems in a way that minimizes the impact on availability. This might include scheduling maintenance during off-peak hours, performing maintenance on a rolling basis to minimize disruption, and providing advance notice of planned maintenance to users.
- Performance monitoring: An organization should have a system in place for monitoring the performance of its systems and data to ensure that they are available and functioning properly. This might include monitoring response times, error rates, and other performance metrics.
- Capacity planning: An organization should have a process in place for ensuring that its systems and data have the capacity to meet the needs of its users. This might involve identifying future capacity needs and implementing measures to meet those needs, such as adding hardware or upgrading software.