What does 99.9999% availability actually mean ?

Cloud Providers often use the term “the nines“

An application that has “2 nines” availability must be available 99% of the time. This means in a typical month, it can be down for 432 minutes and still meet the 99% available goal.

So, here is the list of “The Nines.”

1. 99% → 432 minutes of Monthly Outage

2. 99.9% → 43 minutes of Monthly Outage

3. 99.99% → 4.3 minutes of Monthly Outage

4. 99.999% → 26 seconds of Monthly Outage

5. 99.9999% → 3 seconds of Monthly Outage

So here is how it works.

When your cloud provider says:

“We offer 99.99% uptime.”

What they really mean is:

“We can be down for 4 minutes every month and still meet our contractual obligation.”

The marketing sounds incredible, but the reality is simple:
Every extra nine costs money and shifts responsibility away from the provider and onto you.

Do you find this article helpful? Let me know in the comments!

Leave a comment

Why does it matter?

Maybe you’re wondering why I am talking about it.

My newsletter is focused on Cybersecurity.

Well..Exactly!

Cybersecurity is mainly about assigning responsibility!

And that is what SLA is all about.

While managing vendors, cloud services, or any outsourced environment, your SLA is your security boundary.

So let me start at the beginning

📤 Know someone who still don’t believe that Cybersecurity isn’t just about firewalls? Send this their way.

Share

SLA..What is it?

A Service Level Agreement (SLA) is a contractual agreement that defines the minimum level of service a provider promises to deliver, and the exact responsibilities you agree to take on.

Most CISSP candidates think of SLAs as “availability numbers,”
but that’s only one small piece.

In reality, an SLA is:

• a risk-management document,

• a responsibility map,

• and your last line of defense when something goes wrong.

Think of it this way:

Your architecture defines how your system should work.
Your SLA defines who takes the blame when it doesn’t.

And here’s the uncomfortable truth:

Security incidents become legal incidents very, very quickly.

That’s why CISSP Domain 1 emphasizes understanding SLAs not as IT contracts, but as security governance tools. They determine:

• Who owns the data

• Who must secure the infrastructure

• Who performs backups

• Who reports incidents

• Who pays when something breaks

• Who must remain compliant with laws and standards

• Who carries the liability during outages or breaches

If you don’t know these responsibilities, you can’t manage risk, and the provider will happily let you assume more than you should.

Preparing for the CISSP exam?

A Service-level agreement is just one small piece of the puzzle of the CISSP exam.

If you want a structured way to master Domain 1 of the CISSP exam, I’ve created something for you.

My CISSP Domain 1 Checklist provides clarity and focus on everything that truly matters for the exam and real-world practice.

➡️ Download it here and stop wasting time on scattered study materials.

So what actually belongs inside a security-focused SLA?

A proper SLA covers the full lifecycle of confidentiality, integrity, and availability (CIA) and what happens when any of those fail.

Let’s take a look at 7 crucial topics you need to cover in your SLAs.

Don’t know what the CIA Triad is? Don’t worry, I got you covered!

My First Week of CISSP Prep – What I’ve Learned So Far

Erich Winkler

·

June 30, 2025

Read full story

1. Availability (The Nines)

• Uptime %, measurement method

• Maintenance windows

• Service credits

• Exclusions (force majeure, scheduled downtime)

2. Data Ownership

• Who owns the data

• Access rights

• Backup retention

• Data return & deletion process

3. Security Responsibilities

• Patching

• IAM

• Logging & monitoring

• Encryption + key management

• Vulnerability scans / pentests

• Notification rules

4. Incident Response

• RTO / RPO

• Severity levels

• Escalation path

• Provider’s reporting timeline

5. Compliance Requirements

• Which laws/standards apply (GDPR, ISO, SOC2, NIS2)

• Provider’s audit obligations

• Your audit rights

• Evidence/request process

6. Performance Metrics

• Response times

• Throughput limits

• Resource guarantees (CPU, IOPS, bandwidth)

• Degradation thresholds

7. Exit Strategy

• Contract termination terms

• Data migration support

• Format of data export

• Cost & timeline for offboarding

• How fast service must be restored

If these are missing, you’re not in control of your own crisis.

Interested in Cloud Computing? Don’t miss one of my previous articles!

The Cloud Isn’t Magic! It’s Just Rented IT.

Erich Winkler

·

August 25, 2025

Read full story

Conclusion

If you’re reading this, congratulations! Now you understand that Cybersecurity is about assigning responsibilities and what to look for in your contracts!

SLAs aren’t just boring contracts full of legal jargon, they are your security boundary, your risk-transfer tool, and your accountability map.

Understanding the nines, the shared responsibilities, and the seven crucial SLA topics lets you:

• Know who is responsible for each part of your environment

• Protect your organization from avoidable data loss and downtime

• Ensure regulatory compliance and minimize liability

• Make informed decisions about outsourcing and cloud adoption

From a CISSP perspective, an SLA is as much about governance and risk management as it is about uptime numbers.

Rule of thumb: If it’s not written in the SLA, it’s your problem.

But if you need a step by step instructions, I created a detailed FREE checklist for you.

Read it carefully, negotiate it wisely, and treat it as a core part of your security strategy, not just a checkbox in your contract.

Ready to level up your cybersecurity skills?

• 💬Comment below and tell me what your experience with SLAs is

• ❓Take the quiz to test your understanding: CybersecErich: Quiz Hub

• 📰Subscribe (free or paid) to get new posts straight to your inbox.

• Share this with a friend studying for CISSP, or anyone curious about cybersecurity.