What the auditor wants to verify
Audit objective
Verify that redundancy arrangements are sufficient to meet documented availability requirements and have been tested.
Evidence to request
| Evidence | Purpose |
|---|---|
| Availability requirements | Shows target availability is defined |
| BIA/continuity requirements | Shows business need and recovery objectives |
| Redundancy architecture | Shows design supports availability |
| Risk assessment | Shows redundancy risks are considered |
| Failover/recovery test records | Shows redundancy works |
| Actual recovery records | Shows real outage performance |
| Compensating controls | Shows gaps are managed |
| Supplier/cloud resilience evidence | Shows third-party redundancy support |
Strong evidence
- Redundancy is linked to RTO/RPO and service criticality.
- Critical dependencies are included.
- Failover tests meet target recovery times.
- Data replication and alternate-site risks are assessed.
- Gaps have compensating controls and owners.
Weak evidence
- Cloud or vendor redundancy is assumed without evidence.
- No availability requirement exists.
- Failover has never been tested.
- Standby environment is outdated or insecure.
- Recovery times exceed requirements without corrective action.
Sample interview questions
- What availability requirement applies to this service?
- What redundancy is implemented?
- When was failover last tested?
- Which dependencies must also be available?
- What risks are introduced by replication or alternate locations?
Common nonconformities
- Redundancy not linked to availability requirements.
- Failover tests missing or failed without action.
- Dependencies not included in redundancy design.
- No risk assessment for replicated data paths.
- Standby environment not secured or maintained.
Related notes
- Audit
- Evidence
- A8 14
- Iso27001
Note Metadata
Aliases: A.8.14 Evidence
Source: 04 Audit Evidence Packs/A.8.14 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.14 - Redundancy of Information Processing Facilities
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.14 Redundancy of Information Processing Facilities
- A.8.14 Audit Checklist
- Availability Requirement Mapping
- Redundancy Failover Test Record
- Redundancy Requirements and Architecture Register
- Audit Evidence Index