SOC 2 Academy: Data Backup Processes

by Joseph Kirkpatrick / March 29th, 2019

Availability Criteria 1.2

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the availability category in their audit, they would need to comply with the additional criteria for availability. Availability criteria 1.2 says, “The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.” We’ve discussed how organizations can comply with this criterion, but we believe there’s a key component that requires further discussion: data backup processes. Let’s take a look at why organizations need to have proper data backup processes and how it impacts SOC 2 compliance.

Data Backup Processes and SOC 2 Compliance

We know that disasters happen when we’re least expecting it, so taking proactive measures to protect the data that your organization holds is paramount to SOC 2 compliance. This includes ensuring that data remains available, complete, and accessible at all times. For example, if your organization is impacted by a hurricane and is unable to physically access your office building, how will you access your data so that you can continue to provide the services you offer? If you’re forced to set up an off-site location until your office building has recovered from an environmental disaster, would you have access to your data? These are the things you need to consider for SOC 2 compliance.

During a SOC 2 audit, an auditor will want to ensure that your organization has effective data backup processes in place in order to comply with availability criteria 1.2. An auditor will ask questions such as:

  • What data does your organization hold?
  • How much data do you have?
  • What type of gap between the last data backup and a security incident would there be?

Having such data backup processes in place assists organizations in meeting the goal behind the availability category, which is that the services or systems that your organization offers are available for operation and use as agreed upon.

Another thing to prepare for SOC 2 availability criteria 1.2 is your data backup processes. If you do have an environmental event where you can’t access your facilities or your equipment is destroyed, you have to restore operations. Your data backup processes will be very important. Where is your data? How much data do you have? What type of gap between the last backup and time of the event will there be? What’s acceptable for you there? These are questions that your auditor will ask you. The reason why you want to be able to demonstrate that that data is available and accessible at some remote location is because we’re thinking about a scenario where you can’t get into your offices, and you have to go to some alternative processing facility in order to resume operations and continue delivering your services while the building that you’re in is unavailable to you due to some environmental event. Think about what you’re doing with data and make sure that it is available, complete, and accessible in a far-enough away place from your primary facility so that you can restore operations there, if necessary.