Availability is the information security principle ensuring authorised users maintain timely and uninterrupted access to critical data. The Primary Implementation Requirement involves technical redundancy and resilience under Annex A 8.14, providing the Business Benefit of operational continuity, risk mitigation against downtime, and consistent service delivery.
What is Availability?
Availability is a fundamental principle of information security. It ensures that authorised users have timely and uninterrupted access to information and associated assets when they are needed. Availability is one of the three core pillars of the CIA Triad (Confidentiality, Integrity, and Availability).
Examples
- System Uptime: Ensuring a website or application is always accessible and not down for maintenance during business hours.
- Data Recovery: Having a robust backup and recovery plan so that if data is lost or corrupted, it can be restored quickly.
- Redundancy: Using multiple servers or networks so that if one fails, the service can seamlessly switch to another, preventing downtime.
- Denial-of-Service (DoS) Protection: Implementing controls to protect against attacks that are designed to make a service unavailable to its users.
ISO 27001 Context
While many people focus on data breaches (Confidentiality), an organisation’s ability to operate and provide its services is directly tied to the availability of its information systems. ISO 27001 requires organisations to identify and manage risks that could impact availability, ensuring business continuity and operational resilience. The ISO 27001 standard covers the requirement to have a business response (ISO 27001 Annex A 5.29 Information Security During Disruption) and a technical response (ISO 27001 Annex A 5.30 ICT Readiness For Business Continuity).
How to implement Availability
Ensuring availability within an ISO 27001 framework requires a proactive approach to resilience, redundancy, and risk management. As a Lead Auditor, I recommend implementing these technical controls to ensure your information assets remain accessible and usable upon demand by authorised users, effectively mitigating the risk of unplanned downtime or service degradation.
1. Define Requirements and Asset Criticality
1. Identify Critical Assets: Populate your Asset Register to categorise systems based on their availability requirements, ensuring resources are allocated to the most vital business functions.
2. Formalise Availability Policies: Establish a formal policy that defines acceptable levels of uptime and sets the “Rules of Engagement” for system maintenance and emergency access.
- Document Recovery Time Objectives (RTO) for every critical asset.
- Define Recovery Point Objectives (RPO) to specify acceptable data loss limits.
- Link asset criticality to your broader Business Impact Analysis (BIA).
2. Implement Technical Redundancy and Resilience
3. Provision Redundant Infrastructure: Deploy load balancers, failover clusters, and redundant power supplies to eliminate single points of failure within your primary data path.
4. Establish Automated Backup Solutions: Configure immutable, off-site backups with automated verification to ensure data remains available even following a ransomware event or hardware failure.
- Utilise RAID configurations for local server storage resilience.
- Implement geographically dispersed cloud regions for critical service hosting.
- Verify that backup encryption keys are stored securely and remain accessible during a recovery event.
3. Manage System Capacity and Performance
5. Monitor Resource Utilisation: Deploy real-time monitoring tools to track CPU, memory, and storage capacity, preventing downtime caused by resource exhaustion or performance bottlenecks.
- Set automated alerts for capacity thresholds exceeding 80 per cent.
- Review historical performance trends to inform hardware procurement cycles.
- Implement auto-scaling groups for cloud environments to handle traffic spikes.
4. Document Continuity and Incident Response
6. Formalise Business Continuity Plans (BCP): Create detailed recovery procedures that outline the specific technical steps required to restore services following a major disruption.
- Assign clear roles and responsibilities within the Disaster Recovery (DR) team.
- Include contact details for third-party vendors and critical infrastructure providers.
- Maintain hard copies of recovery documents in secure, accessible locations.
5. Secure Maintenance and Access Controls
7. Restrict Administrative Access: Use Identity and Access Management (IAM) roles and Multi-Factor Authentication (MFA) to ensure only authorised personnel can modify availability settings.
8. Execute Regular Patch Management: Provision a formal patching schedule to address vulnerabilities that could be exploited to cause a Denial of Service (DoS) or system instability.
- Apply security patches within defined timeframes based on risk severity.
- Use staging environments to test patches before deploying to production.
- Audit administrative logs to detect unauthorised configuration changes.
6. Validate Performance through Testing and Audit
9. Test Disaster Recovery Procedures: Conduct annual failover simulations and tabletop exercises to validate that RTO and RPO targets are technically achievable.
10. Audit Availability Metrics: Review uptime reports and incident logs quarterly to identify recurring issues and drive continuous improvement within the ISMS.
- Document the results of all recovery tests for auditor review.
- Update the Asset Register based on lessons learned during testing.
- Align availability metrics with the requirements of the ISO 27001 standard.
Availability FAQ
What is availability in the context of ISO 27001?
Availability is the property of being accessible and usable upon demand by an authorised entity. In ISO 27001, it ensures that critical business information and services remain functional, aiming to prevent the 100% productivity loss associated with system downtime or service denials.
Why is availability a core pillar of the CIA triad?
Availability forms the third pillar of the CIA triad alongside Confidentiality and Integrity. Without it, secure data is useless if it cannot be accessed when needed. Statistics suggest that unplanned downtime costs organisations an average of £4,500 per minute, making availability essential for operational continuity.
How does ISO 27001 Annex A 8.14 manage redundancy and availability?
Annex A 8.14 requires that information processing facilities are implemented with sufficient redundancy to meet availability requirements. This involves technical implementations such as:
- Load balancing to distribute traffic across multiple servers.
- Dual power supplies and uninterruptible power sources (UPS).
- Geographically dispersed data centres to mitigate regional outages.
What is the difference between RTO and RPO in availability planning?
Recovery Time Objective (RTO) defines the maximum duration permitted to restore a system after a failure, while Recovery Point Objective (RPO) specifies the maximum volume of data loss measured in time. Auditors look for documented RTO and RPO targets to validate a resilience strategy.
How does capacity management impact system availability?
Capacity management (Annex A 8.6) ensures that system resources are monitored and tuned to meet current and future demand. Effective capacity management prevents 95% of performance-related outages by ensuring that CPU, memory, and storage thresholds are never exceeded to the point of service failure.
I’ve sat in the Auditor’s chair for 20 years. These are the exact tools I use to guarantee a pass.
About the author
