16.4 Availability, Backup, and Recovery Controls

Availability as a Control Objective

Availability means information and systems are accessible for operation and use as committed or agreed. In ISC, availability is not merely an IT uptime statistic; it drives payroll processing, billing, cash receipts, inventory movement, reporting deadlines, and the availability category of SOC 2 engagements (one of the five trust services categories alongside security, confidentiality, processing integrity, and privacy).

A strong availability program includes business continuity planning (BCP), disaster recovery planning (DRP), backup and restoration procedures, monitoring, incident escalation, capacity management, and periodic testing. A BCP keeps the business operating (people, facilities, processes); a DRP restores the technology (systems, data, infrastructure). They overlap but are distinct documents, and the exam often forces you to pick which one a fact pattern describes.

Recovery sites are a frequent test topic. A hot site is a fully equipped, near-instant facility with current data ready for failover (supports the shortest RTO, highest cost). A warm site has hardware and connectivity but needs data restoration and configuration before use (moderate RTO and cost). A cold site is essentially empty space with power and connectivity, requiring days to equip (longest RTO, lowest cost). A mirrored/redundant site runs in parallel for immediate cutover. Match the site to the RTO: a payroll system that must recover in hours cannot rely on a cold site.

Cloud-based recovery and "disaster recovery as a service" increasingly replace physical alternate sites but follow the same RTO/cost logic.

Business Impact Analysis and Recovery Objectives

A business impact analysis (BIA) identifies critical processes and estimates the effect of disruption. It determines dependencies, peak processing periods, legal or contractual obligations, manual workarounds, recovery priorities, and resources required to resume operations. Two metrics drive recovery design and are routinely tested:

The distinction is high-yield: RTO looks forward (how fast can we be running again?); RPO looks backward (how much recent data can we afford to lose?). A short RPO demands frequent data capture; a short RTO demands fast failover and tested restores.

Mirroring, Replication, and Backup Types

Mirroring maintains an exact or near-exact copy of data or systems, often for rapid failover. Replication copies data between locations and may be synchronous (near-real-time, supports a very short RPO) or asynchronous (some delay, lower cost). These tools cut downtime and data loss but will faithfully copy corrupted or unauthorized changes if recovery points and monitoring are weak, which is why backups remain necessary.

Backup types and their tradeoffs:

• Full backup: copies all selected data; simplest restore, highest storage and time cost.
• Incremental backup: copies changes since the last backup of any type; smallest and fastest to create, but restore needs the full backup plus every incremental in the chain.
• Differential backup: copies changes since the last full backup; restore needs only the full backup plus the latest differential, but each differential grows until the next full.

Restore worked example. Full backup Sunday; differentials Mon-Fri. A failure Thursday morning restores from the Sunday full plus the Wednesday differential (the latest one). With incrementals instead, you would need Sunday plus Monday, Tuesday, and Wednesday.

Availability Metrics and SOC 2 Thinking

Common measures include agreed service time, downtime, uptime percentage, incident duration, mean time to detect (MTTD), and mean time to restore (MTTR). In a SOC 2 availability examination, a CPA evaluates whether controls are suitably designed (Type 1) and operating effectively over a period (Type 2) to meet availability commitments and system requirements.

Strong evidence includes approved BCP/DRP documents, backup schedules, successful restore-test logs, incident tickets, monitoring alerts, capacity reports, failover-test results, and documented remediation of failed backups. Weak evidence is management asserting that backups exist without proof that data can actually be restored, an untested plan, or a contact list that has never been exercised.

Exam Focus

Start from the business requirement. If downtime tolerance is low (short RTO), choose redundancy, failover, monitoring, and tested recovery. If data-loss tolerance is low (short RPO), choose frequent backups or replication plus restoration testing. If the fact pattern mentions failed backups, the strongest response is never "buy more storage"; it is to investigate the failures, remediate the root cause, and re-test the restore.

Availability also depends on protecting backups themselves. The widely cited 3-2-1 rule keeps three copies of data on two different media with at least one copy offsite (or offline/immutable). Offline or immutable copies matter against ransomware, which deliberately encrypts both production data and any reachable backups; replication alone would faithfully copy the encrypted files. Pair recovery design with redundancy components such as uninterruptible power supplies, redundant array of independent disks (RAID) storage, and clustered servers so that a single hardware failure does not cause an outage in the first place.

Prevention reduces how often the recovery plan must be invoked.