SOC 2 A1.2: Environmental Protections and Recovery Infrastructure
Control A1.2 requires your organization to design and maintain environmental protections, backup systems, and recovery infrastructure to support your availability commitments. This control is critical for demonstrating that your entity can recover from disruptions and maintain service continuity. GRCWatch helps you document and monitor these safeguards efficiently.
What this means
Your organization must authorize, design, implement, and continuously monitor environmental protections and recovery infrastructure. This includes software systems, data backup processes, and physical or logical safeguards that enable you to meet stated availability requirements and system performance targets. The control covers the full lifecycle: planning, acquisition, deployment, operation, approval, maintenance, and monitoring of these protective measures.
How to comply
- 1.Define and document your availability commitments and system requirements in writing
- 2.Design environmental protections appropriate to your infrastructure (physical security, climate control, power redundancy, etc.)
- 3.Establish automated backup processes for critical data with defined retention and recovery point objectives (RPO) and recovery time objectives (RTO)
- 4.Implement disaster recovery and business continuity procedures with documented recovery steps
- 5.Approve all environmental protection and recovery solutions before deployment
- 6.Maintain detailed records of infrastructure, backup schedules, and recovery capabilities
- 7.Test recovery procedures regularly (at least annually) and document results
- 8.Monitor the ongoing effectiveness of protections and backups through logs and metrics
Evidence auditors look for
- Documented availability commitments and system requirements linked to service level agreements (SLAs)
- Infrastructure diagrams showing environmental protections (redundant power, cooling, fire suppression)
- Backup policy with defined frequency, retention periods, RPO/RTO targets, and encryption standards
- Disaster recovery plan with step-by-step procedures and assigned responsibilities
- Evidence of backup testing results and recovery drills completed
- Maintenance logs for environmental systems and backup infrastructure
- Monitoring dashboards or reports showing backup success rates and system availability metrics
- Change authorization records for environmental protection and recovery system updates
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates backup monitoring and recovery testing schedules, centralizes your environmental protection and infrastructure documentation, and tracks test results—so you can prove A1.2 compliance without manual spreadsheets.
See how GRCWatch handles this control automatically
Start free trial