Availability
Availability is the information security objective ensuring that systems, applications and data are usable by authorised users whenever needed, in the expected function and at the expected speed.
Availability (German Verfuegbarkeit) is the property that information, IT systems and the services they provide are usable by authorised users whenever they are needed. Together with confidentiality and integrity it forms the three classic objectives of information security (the so-called CIA triad). Availability is impaired by hardware and software failures, power outages, faulty configurations, overload, force majeure or targeted attacks such as distributed denial-of-service (DDoS) and ransomware. It is typically measured as the percentage of operational uptime within a reference period, as well as through metrics such as Mean Time To Recovery (MTTR) and the recovery times agreed in service level agreements.
Ensuring availability combines technical and organisational measures: redundancy and fault tolerance (such as clusters, load balancing and geographically redundant data centres), regular backups with tested recovery procedures, uninterruptible power supplies, capacity and patch management, and protection against overload and encryption attacks. This is embedded in business continuity and disaster recovery management, which defines recovery objectives such as Recovery Time Objective (RTO) and Recovery Point Objective (RPO) on the basis of a business impact analysis. The required level of availability follows from the protection requirement assessment of the respective system.
Availability is firmly anchored in law and standards. The NIS2 Directive and its national transposition require affected entities to take measures to maintain operations and handle security incidents; the GDPR explicitly demands in Art. 32 the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident. ISO/IEC 27001 and the German BSI IT-Grundschutz treat availability as a central protection objective and call for corresponding measures, tests and recovery plans. Operators of critical infrastructure are additionally subject to heightened requirements for resilience and state-of-the-art protection.
Legal Basis
Art. 32 GDPR; NIS2 Directive (EU) 2022/2555; ISO/IEC 27001; BSI IT-Grundschutz
Practical Example
An information security officer at a mid-sized mechanical engineering firm classifies the ERP system as requiring high availability in the protection requirement assessment, because an outage would immediately halt production and delivery. She agrees a target availability of 99.9 percent with IT, an RTO of four hours and an RPO of 15 minutes. This is implemented through a redundant database cluster, daily and continuous backups and a second power feed. In a semi-annual emergency drill the team plays through a simulated ransomware encryption, restores the system from an offline backup and documents the actual recovery time as evidence for the internal audit and the NIS2 reporting obligations.