+GC-04 Information on the approach to ensuring service availability

1. Übersicht

GC-04 Information on the approach to ensuring service availability

The cloud service provider shares comprehensible and transparent information subject matter experts of cloud service customers with on its approach to ensuring service availability, including relevant availability metrics and architecture design principles for both, datacentre-infrastructure and cloud services. This information addresses both, physical infrastructure resilience and logical service resilience, enabling cloud service customers to perform their business impact analysis effectively and understand how the cloud service provider's multi-layered resilience approach aligns with their own business continuity requirements at both, the infrastructure and service levels.

The information may outline resilience capabilities, such as regional deployment strategies, datacentre redundancy configurations, service-level commitments, historical performance data, or architectural resilience patterns.

The Uptime Institute's Tier classification system is a classification customary in the industry for the availability of data centres. It defines the following levels (Tiers) for availability and downtime in relation to one year:

1. Tier I: 99.671 %; up to 28.8 hours cumulative downtime per year;
2. Tier II: 99.741 %; up to 22.7 hours cumulative downtime per year;
3. Tier III: 99.982 %; up to 1.6 hours cumulative downtime per year; and
4. Tier IV: 99.995 %; up to 25 minutes cumulative downtime per year.

An alternative definition of availability classes (AC) is provided by the BSI in the 'HV-Benchmark kompakt' (German for: 'High Availability Benchmark Compact', document only available in German):

1. AC 0: without availability requirements (~95%); up to 438 hours cumulative downtime per year;
2. AC 1: normal availability (99%); up to 88 hours cumulative downtime per year;
3. AC 2: high availability (99.9%); up to 9 hours cumulative downtime per year;
4. AC 3: very high availability (99.99%); up to 53 minutes cumulative downtime per year;
5. AC 4: highest availability (99.999%); up to 6 minutes cumulative downtime per year; and
6. AC 5: Disaster-tolerant.

The description of the cloud service provider's system of internal control relevant to the development and operation of the cloud service indicates where this information can be found. In addition to the reference in the description of the cloud service provider, the information itself may also be an optional part of the report, e.g. in a section 'Other information provided by the Cloud Service Provider'. Only in the latter case, this information is not subject to the auditor's procedures, and, accordingly, the auditor does not issue an opinion on it.

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html