SOC 2 Academy: Testing Your Business Continuity Plan

by Joseph Kirkpatrick / March 29th, 2019

Availability Criteria 1.3

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the availability category in their audit, they would need to comply with the additional criteria for availability. Availability criteria 1.3 says, “The entity tests recovery plan procedures supporting system recovery to meet its objectives.” What does this mean for organizations and how do they comply with this criterion? Let’s find out why you need to be testing your business continuity plan.

The Importance of Testing Your Business Continuity Plan

The importance of testing your business continuity plan comes down to this: if disaster strikes and you haven’t effectively practiced implementing your business continuity plan, how will you know for certain if it works? There’s no telling how extreme a disaster will be, so practicing different scenarios on a regular basis should be a top priority amongst organizations pursuing SOC 2 compliance. For example, if your organization is impacted by a tornado and you have a critical employee who is unable to come into the office because of that disaster, how will your business continuity plan work? Is there someone else who could carry out that person’s responsibilities to ensure that your services remain available as agreed upon?

When an auditor is assessing compliance with availability criteria 1.3, they’ll use two main points of focus to guide them. First, they’ll want to validate that your organization is testing your business continuity plan on a period basis. They’ll do so by checking that your business continuity plan testing includes the following:

  • Developing different testing scenarios based on threat likelihood and magnitude
  • Considering system components from across your organization that might impair the availability of your system
  • Using scenarios that consider the potential lack of availability of key personnel
  • Revising your business continuity plan based on the results of testing

Secondly, auditors will want to ensure that your organization tests for the integrity and completeness of backup data on a regular basis.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

The business continuity test is a very important element to SOC 2 availability criteria 1.3. I know we, as auditors, talk a lot about tests that we want you to perform. BCP testing is another one of those tests that is worth its weight in gold when you have an actual event. BCP testing will help you practice if you weren’t able to be in the facility that you’re used to being in every day. Let’s say you lost a key member of your staff because there was a tornado. She’s working out of her home trying to take care of her family, get her house and living arrangements back up and running, and is unable to be at work. How would you continue operations while that key member is distracted because of an environmental event that occurred? Going through those tests and scenarios will help you prepare, but there’s a very specific test that you have to have evidence to show your auditor that you’ve performed is the test of the veracity of your data backups. You need to be able to show on a random basis that the backup occurred, it was successful, and the data can actually be restored. There have been several cases where we’ve performed that test, and we’ve gone in and randomly selected a backup and the backup had failed, the data that they were expecting to be there wasn’t – perhaps the media went bad – and so these are reasons why you should check those things and make sure that you have good data backups, and if you’ve performed testing yourself to be able to show the auditor that that is a part of your day-to-day system operations.