Skip to content
AuditFront
A1.2 SOC 2

SOC 2 A1.2: Availability - Environmental Protections, Backups, and Recovery Infrastructure

What This Control Requires

The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives.

In Plain Language

When your primary environment goes down - whether from a power failure, cooling malfunction, or regional disaster - this control is about whether you can actually recover. Auditors want to see that you've invested in both prevention (environmental protections) and cure (backups and DR infrastructure). In practice, this covers reliable power systems with UPS and generators, environmental monitoring and cooling for data centre equipment, automated data backups with verified recovery capabilities, and disaster recovery infrastructure you can activate when the primary environment is unavailable. If you're cloud-based, your provider handles most physical environmental controls, but backup and recovery remain squarely your responsibility. Assessors evaluate the adequacy of your environmental protections, the completeness and reliability of backup processes, whether you've actually tested restoring from those backups, and the readiness of your DR infrastructure. Having these capabilities on paper isn't enough - you need to show they're actively maintained, monitored, and tested.

How to Implement

For on-premises or colocation environments, put environmental protections in place: UPS units sized for sufficient runtime, backup generators with automatic transfer switches and regular testing, redundant cooling with environmental monitoring and alerting, fire detection and suppression appropriate for the equipment, and water leak detection in vulnerable areas. Define a comprehensive backup strategy. Specify backup types (full, incremental, differential), frequency, retention periods, and storage locations for all critical data and systems. Follow the 3-2-1 rule: at least three copies of data, on two different types of media, with one copy stored off-site or in a different cloud region. Automate and monitor your backups. Set up automated schedules for all in-scope systems. Configure monitoring that alerts on failures, incomplete backups, and duration anomalies. Track success rates and investigate failures promptly. Keep backup logs documenting what was backed up, when, and where it was stored. Test backup recovery regularly. Run restoration tests at least quarterly for critical systems, covering full system recovery, individual file and database restoration, and point-in-time recovery. Document results including recovery time, data integrity verification, and any issues encountered. Compare actual recovery times against your RTO targets. Design and maintain your disaster recovery infrastructure. Set up a DR site in a geographically separate location. Configure data replication between primary and DR sites with appropriate RPO. Write DR runbooks documenting the steps for failover and failback. Keep DR infrastructure current with the primary environment. Conduct regular DR failover tests. At minimum, run an annual DR exercise validating your ability to restore critical services at the DR site. Include stakeholders from operations, engineering, and business teams. Document results and remediate any issues discovered.

Evidence Your Auditor Will Request

  • Environmental protection documentation including power, cooling, and fire suppression systems
  • Backup policies specifying schedules, retention, and storage locations for all critical systems
  • Backup monitoring records showing success rates and resolution of backup failures
  • Backup restoration test results including recovery times and data integrity verification
  • Disaster recovery infrastructure documentation and DR failover test results

Common Mistakes

  • Backup procedures are not documented and rely on individual knowledge rather than formal processes
  • Backup restoration is never tested, creating false confidence in recovery capability
  • Environmental monitoring is not configured to alert on temperature, humidity, or power anomalies
  • Disaster recovery infrastructure exists but is not maintained in sync with the primary environment
  • DR failover tests are not conducted, leaving the organization unprepared for an actual disaster

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.7.5 Related
ISO 27001 A.7.11 Related
ISO 27001 A.8.13 Equivalent
ISO 27001 A.8.14 Related
nist-csf PR.DS-04 Partial overlap

Frequently Asked Questions

How often should we test backup restoration?
Quarterly at minimum for critical systems. For your most critical databases and applications, monthly is better. Full DR failover tests should happen at least once a year. Also run additional tests after any significant changes to backup infrastructure, storage systems, or data volumes.
Are cloud-native backups sufficient, or do we need additional backup solutions?
Cloud-native backups like AWS RDS snapshots or Azure Backup can work well, but check whether they actually meet your RPO, RTO, and retention requirements. Consider adding cross-region replication for geographic resilience, point-in-time recovery for data corruption scenarios, and possibly a third-party backup solution for protection against cloud provider outages or account compromise.
What environmental protections do we need for a cloud-only environment?
The good news is your cloud provider handles the physical side - power, cooling, fire suppression. Verify that through their SOC 2 report. Your focus shifts to redundancy across availability zones and regions, backup and recovery processes, monitoring cloud service health, and maintaining DR capabilities in a separate region or with a separate provider.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment