The basics
ISO 27001 control A.8.14 Redundancy of information processing facilities requires companies to implement extra components into critical operations in order to ensure that a failure in a component does not disrupt business activities.
Documentation
ISO 27001 control A.8.14 Redundancy of information processing facilities can be documented:
- for smaller companies by writing a Disaster Recovery Plan
- for mid-sized and larger companies by writing a Business Continuity Strategy
These documents are not mandatory but are recommended.
Implementation
In order to comply with control A.8.14 Redundancy of information processing facilities you might implement the following:
- Technology — the technology whose resilience and redundancy need to be ensured could include data (e.g., databases), hardware (e.g., application servers), networks (e.g., firewalls and routers), or communication (external communication links). Companies of all sizes need to plan their continuity, through the introduction of resilience and redundancy solutions, based on risk assessment and how quickly they need their data and their systems to be recovered.
- Organization/processes — you should set up a process for planning and maintaining your technology, as well as for testing your disaster recovery and/or business continuity plans. You can document those processes through a Disaster Recovery Plan or Business Continuity Strategy.
- People — make employees aware of why readiness of IT systems for disruption is needed, and train them on how to maintain those systems in high readiness.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.14 Redundancy of information processing facilities: if redundancy is built into IT systems that support critical operations.
If redundancy is built, then this would be a nonconformity.
