Business Continuity and Availability Controls

Business continuity and availability controls address one of the most fundamental client concerns: if something goes wrong — a data center failure, a ransomware attack, a critical service outage — how quickly can the service organization recover, and what guarantees does it have about the continued availability of its service? The Availability TSC (when included in scope) and CC9 business continuity requirements together address this concern through defined objectives, tested recovery procedures, and documented evidence of operational resilience.

Defining RTO and RPO

Recovery Time Objective (RTO) is the maximum acceptable downtime after an incident: the time from incident declaration to service restoration. Recovery Point Objective (RPO) is the maximum acceptable data loss: the age of the most recent backup that can be restored from. Both must be defined, documented, and — critically — tested. Defining an RTO of 4 hours without evidence of a recovery test that achieved 4-hour restoration is an unsubstantiated claim.

Concept	Definition	SOC 2 Evidence Requirement
RTO	Maximum acceptable time from incident to service restoration	Defined in BCP; tested in DR exercise; test results showing actual recovery time vs. RTO
RPO	Maximum acceptable data loss (age of backup restored)	Defined in BCP; backup frequency matches RPO; restoration test confirming backup age at time of restore
MTTR (Mean Time to Recover)	Average time to restore service from historical incidents	Incident register with detection time, response time, and resolution time; MTTR calculation and trend
Availability SLA	The uptime commitment made to clients (e.g., 99.9%)	Uptime monitoring dashboard; SLA performance report for the audit period; incident records with downtime duration

Backup Configuration and Testing

Backup configuration alone does not satisfy CC9. The backup must be tested: auditors want evidence that backup restoration has been attempted successfully and within the defined RPO timeframe. A backup that has never been restored may not work when needed — and auditors know this.

The minimum backup testing evidence includes: backup configuration showing automated backup schedule and retention; restoration test record showing date, tested systems, backup age at restore, time to restore, and success confirmation; and the person responsible for the test. Annual restoration tests are the minimum; quarterly tests for critical data are better practice and reduce audit scrutiny.

IMPORTANT

Backup test records must be contemporaneous — written at the time of the test, not reconstructed afterward. The test record should include the timestamp, the system tested, the backup used (age and size), the restoration destination (never restore to production from a test; use a test environment), the time taken, and a pass/fail assessment against the RTO. A one-page test record created immediately after the restoration exercise is sufficient evidence.

Business Continuity / Disaster Recovery Plan

The BCP/DR plan is the documented procedure that defines what happens when normal operations cannot continue. It should cover: the activation criteria (what triggers invocation of the plan), the incident command structure (who makes decisions and who does what), system recovery priorities (which systems are recovered first), recovery procedures for each critical system, communication plans for clients and stakeholders, and recovery success criteria.

The BCP/DR plan must be current: an out-of-date plan that describes infrastructure that no longer exists or personnel who have left the organization undermines its credibility. Most organizations review and update the BCP annually as part of the compliance calendar, with a sign-off from the CISO or equivalent confirming that the plan reflects the current system architecture.

Tabletop Exercises

A tabletop exercise is a structured discussion in which key personnel walk through the response to a hypothetical disaster scenario step by step. It tests whether the plan is understood, whether roles and responsibilities are clear, and whether gaps in the plan are identified and addressed. Tabletop exercises do not require actual system recovery — they are discussion-based — but they produce a documented record of identified gaps and follow-up actions.

Auditors look for tabletop exercise records that show: the scenario tested, the participants, the response walkthrough, the gaps identified, and the action items assigned. A one-page record of a 90-minute tabletop exercise satisfies this requirement. Organizations that conduct annual tabletop exercises plus annual backup restoration tests have a strong evidence package for CC9 business continuity.

BITLION INSIGHT

Tabletop exercises are one of the lowest-cost, highest-value compliance activities available. A 90-minute session with 5–8 key personnel, a facilitator with a realistic scenario (ransomware attack, cloud provider outage, key personnel unavailability), and a note-taker recording the discussion produces both a compliance evidence artifact and genuine organizational learning about recovery readiness. Schedule it annually; document it thoroughly.

Defining RTO and RPO

Backup Configuration and Testing

Business Continuity / Disaster Recovery Plan

Tabletop Exercises

SOC 2 Foundations

What is SOC 2 and Why It Matters

The Five Trust Services Criteria (TSC)

SOC 2 Type I vs Type II — Understanding the Difference

The Common Criteria (CC): Security in Depth

SOC 2 vs ISO 27001 vs PCI DSS — Framework Comparison

Who Needs SOC 2 and When

SOC 2 Requirements

CC1 — Control Environment

CC2 — Communication and Information

CC3 — Risk Assessment

CC4 — Monitoring Activities

CC5 — Control Activities

CC6 — Logical and Physical Access

CC7 — System Operations

CC8 & CC9 — Change Management and Risk Mitigation

SOC 2 Audit Process

Scoping Your SOC 2 Audit

Selecting a SOC 2 Auditor (CPA Firm)

SOC 2 Readiness Assessment

Evidence Collection and Management

The SOC 2 Audit: What to Expect

Reading and Using Your SOC 2 Report

Continuous Compliance: Maintaining SOC 2 After Certification

SOC 2 Implementation

Building a SOC 2-Ready Control Environment

Logical Access Controls for SOC 2

Security Monitoring and Incident Response

Vulnerability Management and Penetration Testing

Change Management for SOC 2

Vendor and Third-Party Risk Management

Business Continuity and Availability Controls

SOC 2 Policies and Documentation

The SOC 2 Policy Suite: What You Need

Writing the System Description

Risk Assessment Documentation

Employee Training and Awareness Documentation

Incident Response Policy and Procedure

Vendor Management Policy and DPA Templates

Evidence Retention and the Audit Trail

SOC 2 In Context

SOC 2 for SaaS Companies

SOC 2 for Fintech and Financial Services

SOC 2 for Healthcare and Life Sciences

Multi-Framework Compliance: SOC 2 + ISO 27001 + GDPR

SOC 2 from Indonesia: Practical Guide

SOC 2 and Customer Trust: Using the Report Commercially

Building a Long-Term Compliance Program: SOC 2 as Foundation