Requirement
Requirement lens
This control asks whether information processing facilities have enough redundancy to meet availability requirements.
“Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.”
Plain-language meaning
The organization should design critical processing facilities so that a single failure does not create unacceptable downtime. Redundancy may involve duplicate equipment, clustered systems, failover sites, replicated storage, redundant network links, backup power, cloud availability zones, or geographically separate locations.
Redundancy is not automatically required for every system. It should be based on availability requirements, recovery time expectations, risk assessment, and business continuity needs.
Why this matters
Availability is part of information security. If critical systems cannot tolerate downtime, the supporting facilities must be resilient enough to meet that need.
Redundancy also creates new risks. Replicating data across sites, networks, or cloud regions can introduce confidentiality, integrity, latency, synchronization, cost, and operational complexity risks. Those risks must be assessed, not ignored.
Implementation guidance
Implementer focus
Start with availability requirements and recovery objectives. Then choose redundancy that is sufficient, tested, and risk-assessed.
1. Define availability requirements
Use business impact analysis, risk assessment, service requirements, and continuity plans to define:
| Requirement | Practical question |
|---|---|
| RTO | How quickly must service be restored? |
| RPO | How much data loss is tolerable? |
| Maximum outage | How long can the business tolerate unavailability? |
| Service criticality | Which services justify redundancy? |
| Dependency | Which facilities, networks, power, cloud services, or suppliers are needed? |
2. Match redundancy to need
Examples of redundancy include:
- redundant servers or clusters;
- storage replication;
- redundant network paths;
- alternate data centre or cloud region;
- redundant power/cooling;
- load balancing;
- hot/warm/cold standby environments;
- replicated identity, logging, and backup services.
3. Assess risks introduced by redundancy
Redundancy can create extra risk through data replication over public networks, inconsistent data between mirrored systems, weak access control in standby environments, insecure cloud regions, or untested failover.
4. Test redundancy
Redundancy must be tested. A diagram or vendor statement is not enough. Failover tests, recovery tests, and actual incident records should show whether the redundancy meets requirements.
Audit guidance
Auditor focus
Verify that redundancy is sufficient for documented availability requirements and that failover/recovery has been tested.
Auditors should request:
- availability requirements;
- business impact analysis or continuity requirements;
- risk assessments for redundant architecture;
- redundancy architecture diagrams;
- failover and recovery test records;
- actual recovery time records after unplanned outages;
- compensating controls for gaps;
- supplier/cloud redundancy evidence where relevant.
The key audit question is not “is redundancy present?” It is “does redundancy meet the required availability level and has this been proven?”
Evidence examples
Evidence quality
Strong evidence proves redundancy requirements, design, risk treatment, testing, and recovery performance.
| Evidence | What it proves |
|---|---|
| Availability requirements | Target level is defined |
| BIA/continuity requirements | Business need is understood |
| Redundancy architecture | Design supports availability |
| Risk assessment | New redundancy risks are considered |
| Failover test records | Redundancy works in practice |
| Recovery time records | Actual performance is known |
| Compensating control records | Gaps are managed |
Strong evidence
- Redundancy is linked to RTO/RPO and service criticality.
- Critical dependencies are included.
- Failover tests prove recovery within target.
- Redundant locations and replication paths are risk-assessed.
- Compensating controls exist where full redundancy is not justified.
Weak evidence
- Redundancy is assumed because the service is in the cloud.
- No documented availability requirement exists.
- Architecture shows redundancy but no failover test exists.
- Standby environment is outdated or unprotected.
- Data replication risks are not assessed.
- Actual outage recovery times exceed requirements without action.
Common failures
Implementation watchouts
A.8.14 fails when redundancy is designed from technology preference instead of availability requirement.
| Failure | Why it matters |
|---|---|
| No RTO/RPO | Redundancy cannot be judged sufficient |
| Untested failover | Recovery is assumed, not proven |
| Missing dependencies | Redundant app fails because identity/network/storage is unavailable |
| Standby environment insecure | Redundancy creates a weaker attack path |
| Replication not protected | Sensitive data is exposed in transit or at alternate site |
| Cloud resilience assumed | Cloud design still needs region/zone/service validation |
Exam traps
Exam focus
A.8.14 is about redundancy sufficient to meet availability requirements, not redundancy everywhere.
| Trap | Correct interpretation |
|---|---|
| Every system needs full redundancy | Redundancy should be based on availability requirements and risk |
| Backup is the same as redundancy | Backups support recovery; redundancy supports availability/failover |
| Cloud automatically satisfies redundancy | Cloud architecture still needs design, scope, testing, and evidence |
| Redundancy only means duplicate servers | Networks, storage, power, locations, identity, logging, and dependencies may matter |
| Redundancy reduces all risk | It can introduce replication, synchronization, and access-control risks |
Related controls and concepts
- A.8 Technological Controls MOC
- A.8.6 Capacity Management
- A.8.13 Information Backup
- A.7.11 Supporting Utilities
- A.5.29 Information Security During Disruption
- A.5.30 ICT Readiness for Business Continuity
- Risk Assessment
- Statement of Applicability
- Redundancy Requirements and Architecture Register
- Redundancy Failover Test Record
- Availability Requirement Mapping
- A.8.14 Audit Evidence Pack
- A.8.14 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.14 proves critical processing facilities can stay available at the required level. Strong evidence ties availability requirements to redundancy design, risk assessment, failover testing, and actual recovery performance.
- Define availability requirements first.
- Select redundancy based on RTO/RPO and risk.
- Include dependencies such as network, power, storage, identity, and cloud services.
- Test failover and record actual recovery times.
- Assess risks introduced by redundancy.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Redundancy
- Availability
- Business continuity
- Audit
Note Metadata
Aliases: A.8.14, Redundancy of Information Processing Facilities, Information Processing Facilities Redundancy
Source: 05 Annex A Technological Controls/A.8.14 Redundancy of Information Processing Facilities.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.29 - Information Security During Disruption
- ISO 27001 A.5.30 - ICT Readiness for Business Continuity
- ISO 27001 A.7.11 - Supporting Utilities
- A.8.14 Audit Evidence Pack
- ISO 27001 A.8.13 - Information Backup
- ISO 27001 A.8.6 - Capacity Management
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.14 Redundancy of Information Processing Facilities
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-033 - Redundancy and Logging
- ISO 27002 Annex A Control Interpretation Map
- A.8.14 Audit Checklist
- Availability Requirement Mapping
- Redundancy Failover Test Record
- Redundancy Requirements and Architecture Register
- Software Rollback and Fallback Checklist
- Annex A Controls MOC