1. Framework FAQs

ISO 27001: 2022 A.8.14 Redundancy of information processing facilities

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.14 Redundancy of information processing facilities.

ISO 27001: 2022 Control Description

Information processing facilities shall be implemented with redundancy  sufficient to meet availability requirements.

Purpose

To ensure continuous operation of information processing facilities by meeting availability requirements.

Guidance on implementation

To maintain the availability of business services and information systems, your organisation should:

  1. Identify Availability Requirements:
    • Determine the availability needs for your business services and information systems.
  2. Design and Implement Redundant Systems:
    • Create a system architecture with appropriate redundancy. This could involve duplicating parts of the system or the entire information processing facility (e.g., using spare components or having duplicate setups).
  3. Activate Redundant Components:
    • Develop and implement procedures for activating redundant components or systems. Decide whether these components will always be active or only activated in emergencies—either automatically or manually.
  4. Maintain Security Levels:
    • Ensure that redundant components and systems maintain the same level of security as the primary systems.

Considerations for Implementing Redundant Systems

When setting up redundant systems, consider the following:

  • Network and Critical Facilities:
    • Use redundant networks and critical processing facilities such as multiple internet service providers.
  • Geographical Separation:
    • Use two data centres in different locations with mirrored systems to avoid single points of failure.
  • Power Supply:
    • Implement physically redundant power sources or supplies.
  • Software Redundancy:
    • Run multiple parallel instances of software components, with automatic load balancing across instances within the same or different data centres.
  • Hardware Redundancy:
    • Use duplicated hardware components (e.g., CPUs, hard disks, memory) and network components (e.g., firewalls, routers, switches) to ensure continued operation.

Testing and Monitoring

  • Test Redundant Systems:
    • Regularly test redundant systems, ideally in a production environment, to confirm that failover processes work as expected.
  • Monitor for Failures:
    • Set up mechanisms to alert your organisation to any failures in the information processing facilities. Ensure the planned failover procedures are executed smoothly to maintain system availability while repairs or replacements are made.

Additional Considerations

  • Business Continuity:
    • Redundancy is closely linked to ICT readiness for business continuity, particularly when short recovery times are essential. Integrate redundancy measures as part of your broader ICT continuity strategies.
  • Managing Risks:
    • Be aware that implementing redundancies can introduce risks, such as data integrity issues during the copying process or potential confidentiality breaches. Ensure these risks are managed effectively.
  • Public Cloud Computing:
    • With public cloud services, you can have multiple live versions of information processing facilities across different physical locations, providing automatic failover and load balancing between them.