SOC 2 Academy: Preparing for Current and Future Availability Needs
Understanding Availability Criteria 1.1
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the availability category in their audit, they need to comply with the additional criteria for availability. Availability criteria 1.1 says, “The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.” What does this mean for organizations and how do they comply with this criterion? Let’s find out why preparing for current and future availability needs is important.
The Importance of Preparing for Current and Future Availability Needs
In the simplest terms, the availability category for SOC 2 compliance asks organizations if their system is available for operation and used as agreed upon. For organizations that need to include availability in their SOC 2 audits, such as cloud service providers or storage facilities, preparing for current and future availability needs is a necessity. For example, if a data center doesn’t maintain, monitor, or evaluate the current processing capacity of their system, they might have an outage that would make their systems unavailable, which would greatly impact their customers’ business continuity. Because of this, when an auditor assesses an organization’s compliance with availability criteria 1.1, they’ll use the following points of focus as a guide:
- Does the entity measure the current usage to establish a baseline for capacity management?
- Does the entity forecast the expected average and peak use of their system components?
- Does the entity make changes to their system based on the forecasts?
More SOC 2 Resources
The SOC 2 Trust Services Criteria provides additional criteria for the categories that are outside of the common criteria that apply to all five categories. We’re going to start now with availability criteria 1.1. The availability category relates to how your organization meets its commitments to be available in the service that it’s providing to your customers. Availability criteria 1.1 says that the entity maintains, monitors, and evaluates current processing capacity and use of system components to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. This means that you are aware of your current capacity and you answer the question, “Are you meeting the current demand? Is your system doing today what is should be doing for the users of your system?” Are you also making forecasts? Are you able to look into the future and say, “A year, 3 years, or 5 years from now, we’re going to need to meet X demand or capacity, and where are we on that scale?” To use a very basic example: storage space. You are storing data for your clients through the application that you’re hosting, and they’re uploading information into it. You’re very familiar at the rate at which that storage is growing, you’re forecasting that, and you’re requiring the systems and the upgrades that are necessary to meet the demand so that you don’t fall down and have to have an outage for a period of time while you’re upgrading the system. Your auditor will ask you questions about how you plan for future capacity, so think about those examples and how you can accomplish that within your organization.