UnixTime

Research Note

ISO 27001 A.8.14 - Redundancy of Information Processing Facilities

The organization should design critical processing facilities so that a single failure does not create unacceptable downtime. Redundancy may involve duplicate equipment, cluster...

On this page

Requirement

Requirement lens

This control asks whether information processing facilities have enough redundancy to meet availability requirements.

“Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.”

Plain-language meaning

The organization should design critical processing facilities so that a single failure does not create unacceptable downtime. Redundancy may involve duplicate equipment, clustered systems, failover sites, replicated storage, redundant network links, backup power, cloud availability zones, or geographically separate locations.

Redundancy is not automatically required for every system. It should be based on availability requirements, recovery time expectations, risk assessment, and business continuity needs.

Why this matters

Availability is part of information security. If critical systems cannot tolerate downtime, the supporting facilities must be resilient enough to meet that need.

Redundancy also creates new risks. Replicating data across sites, networks, or cloud regions can introduce confidentiality, integrity, latency, synchronization, cost, and operational complexity risks. Those risks must be assessed, not ignored.

Implementation guidance

Implementer focus

Start with availability requirements and recovery objectives. Then choose redundancy that is sufficient, tested, and risk-assessed.

1. Define availability requirements

Use business impact analysis, risk assessment, service requirements, and continuity plans to define:

Requirement Practical question
RTO How quickly must service be restored?
RPO How much data loss is tolerable?
Maximum outage How long can the business tolerate unavailability?
Service criticality Which services justify redundancy?
Dependency Which facilities, networks, power, cloud services, or suppliers are needed?

2. Match redundancy to need

Examples of redundancy include:

  • redundant servers or clusters;
  • storage replication;
  • redundant network paths;
  • alternate data centre or cloud region;
  • redundant power/cooling;
  • load balancing;
  • hot/warm/cold standby environments;
  • replicated identity, logging, and backup services.

3. Assess risks introduced by redundancy

Redundancy can create extra risk through data replication over public networks, inconsistent data between mirrored systems, weak access control in standby environments, insecure cloud regions, or untested failover.

4. Test redundancy

Redundancy must be tested. A diagram or vendor statement is not enough. Failover tests, recovery tests, and actual incident records should show whether the redundancy meets requirements.

Audit guidance

Auditor focus

Verify that redundancy is sufficient for documented availability requirements and that failover/recovery has been tested.

Auditors should request:

  • availability requirements;
  • business impact analysis or continuity requirements;
  • risk assessments for redundant architecture;
  • redundancy architecture diagrams;
  • failover and recovery test records;
  • actual recovery time records after unplanned outages;
  • compensating controls for gaps;
  • supplier/cloud redundancy evidence where relevant.

The key audit question is not “is redundancy present?” It is “does redundancy meet the required availability level and has this been proven?”

Evidence examples

Evidence quality

Strong evidence proves redundancy requirements, design, risk treatment, testing, and recovery performance.

Evidence What it proves
Availability requirements Target level is defined
BIA/continuity requirements Business need is understood
Redundancy architecture Design supports availability
Risk assessment New redundancy risks are considered
Failover test records Redundancy works in practice
Recovery time records Actual performance is known
Compensating control records Gaps are managed

Strong evidence

  • Redundancy is linked to RTO/RPO and service criticality.
  • Critical dependencies are included.
  • Failover tests prove recovery within target.
  • Redundant locations and replication paths are risk-assessed.
  • Compensating controls exist where full redundancy is not justified.

Weak evidence

  • Redundancy is assumed because the service is in the cloud.
  • No documented availability requirement exists.
  • Architecture shows redundancy but no failover test exists.
  • Standby environment is outdated or unprotected.
  • Data replication risks are not assessed.
  • Actual outage recovery times exceed requirements without action.

Common failures

Implementation watchouts

A.8.14 fails when redundancy is designed from technology preference instead of availability requirement.

Failure Why it matters
No RTO/RPO Redundancy cannot be judged sufficient
Untested failover Recovery is assumed, not proven
Missing dependencies Redundant app fails because identity/network/storage is unavailable
Standby environment insecure Redundancy creates a weaker attack path
Replication not protected Sensitive data is exposed in transit or at alternate site
Cloud resilience assumed Cloud design still needs region/zone/service validation

Exam traps

Exam focus

A.8.14 is about redundancy sufficient to meet availability requirements, not redundancy everywhere.

Trap Correct interpretation
Every system needs full redundancy Redundancy should be based on availability requirements and risk
Backup is the same as redundancy Backups support recovery; redundancy supports availability/failover
Cloud automatically satisfies redundancy Cloud architecture still needs design, scope, testing, and evidence
Redundancy only means duplicate servers Networks, storage, power, locations, identity, logging, and dependencies may matter
Redundancy reduces all risk It can introduce replication, synchronization, and access-control risks

KB-ready summary

Mentor takeaway

A.8.14 proves critical processing facilities can stay available at the required level. Strong evidence ties availability requirements to redundancy design, risk assessment, failover testing, and actual recovery performance.

  • Define availability requirements first.
  • Select redundancy based on RTO/RPO and risk.
  • Include dependencies such as network, power, storage, identity, and cloud services.
  • Test failover and record actual recovery times.
  • Assess risks introduced by redundancy.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Technological controls
  • Redundancy
  • Availability
  • Business continuity
  • Audit

Note Metadata

Aliases: A.8.14, Redundancy of Information Processing Facilities, Information Processing Facilities Redundancy

Source: 05 Annex A Technological Controls/A.8.14 Redundancy of Information Processing Facilities.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

11

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.