Availability
Definition
Availability is the property of information, systems, and services being accessible and usable when needed by authorized users and processes. In ISO/IEC 27001, availability is treated as a core information security objective (alongside confidentiality and integrity) and is achieved through risk-based planning, operational controls, and continual monitoring. Organizations define availability requirements (e.g., critical business processes, recovery time objectives (RTOs), and recovery point objectives (RPOs)), assess risks that could disrupt service (such as outages, capacity exhaustion, misconfigurations, supplier failures, or malicious activity), and implement controls to prevent, detect, respond to, and recover from disruptions. Common ISO/IEC 27001-aligned practices include redundancy and failover design, backups and restoration testing, change and release controls to reduce downtime, capacity and performance management, incident response and escalation, and business continuity and disaster recovery arrangements. Availability is often expressed through measurable targets (such as uptime percentages, service level objectives, and maximum tolerable downtime) and is validated through monitoring, testing, and post-incident reviews. Related frameworks describe the same goal using terms like resilience, continuity, and service reliability.
Real-World Examples
High-availability deployment
An SMB runs its customer portal across multiple zones with automatic failover to reduce downtime during infrastructure faults.
Backups with restore testing
An enterprise performs scheduled backups and regularly tests restores to ensure data and services can be recovered after an incident.
Capacity monitoring and scaling
A startup uses alerts for CPU, memory, and queue depth and scales services before saturation causes outages.
BCDR exercises for critical services
A mid-sized organization runs disaster recovery drills to validate recovery time targets and improve operational readiness.
Availability means systems and data are accessible and usable when needed by authorized users, including during disruptions and recovery.
Availability is the ability to deliver service when needed; reliability is consistency over time, while uptime is a measured output of availability.
High availability is designing services to tolerate failures with minimal interruption, typically needed for critical, customer-facing, or revenue systems.
Availability is commonly calculated as (total time minus downtime) divided by total time, expressed as a percentage over a defined period.
MTBF estimates time between failures and MTTR estimates time to restore service; higher MTBF and lower MTTR generally improve availability.
Common causes include misconfigurations, software defects, capacity overload, dependency failures, network issues, human error, and malicious activity.
Redundancy, tested backups, robust change management, monitoring and alerting, capacity planning, and practiced recovery procedures are key drivers.
SLOs set internal availability targets, SLAs are customer commitments, and error budgets define allowable unreliability to balance change and stability.
They provide planned procedures, roles, and technical capabilities to continue operations and restore services within defined recovery objectives.
Teams should monitor service health and dependencies, track incidents and downtime, report against targets, and use reviews to drive improvements.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
