Redundancy of Information Processing Facilities - ISO 27001 Annex A Control

ISO 27001 Annex A 8.14

Single points of failure are the easiest part of resilience to identify and the hardest to fix.

ISO 27001 Annex A 8.14 - Redundancy of Information Processing Facilities

Redundancy is the protection against component failure - having more than one of something so that one failing does not stop the service. The control sits alongside backup (which addresses recoverability) and capacity management (which addresses adequacy) to complete the availability picture. Each addresses a different failure mode.

Redundancy patterns vary by what is being protected. Within a server, redundant power supplies and disks (RAID). Within a data centre, redundant servers, network paths and power feeds. Between data centres, geographic redundancy with active-active or active-passive failover. Cloud platforms abstract much of this through availability zones and managed services.

Redundancy needs to be tested or it tends not to work when needed. Failover that has never been exercised may have undocumented dependencies on the primary site. Passive systems that are not regularly used may have drifted out of sync with current configuration. Periodic failover testing confirms that the redundancy provides the protection it is designed for.

The redundancy that fails most often is the one that depends on something that is not itself redundant. Two web servers behind a single load balancer. Two database servers using a single shared storage volume. Each pattern provides the appearance of redundancy without the substance. Mapping the failure paths often reveals these single points of failure.

Practical Compliance Guidance

Redundancy arrangements are described in the IMS1 manual at section 8.3 on IT equipment alongside the wider business continuity arrangements. The business continuity register tracks the redundancy patterns and test outcomes.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
F-IMS21 Business Continuity Register	The business continuity register listing scenarios and arrangements. Use to record redundancy patterns and the test schedules that confirm they operate as designed.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Does every system need redundancy?

No - redundancy adds cost and complexity, and the level should match the availability requirement. Critical systems may have full geographic redundancy. Important systems may have within-site redundancy. Non-critical systems may not need redundancy at all. The business impact analysis should drive the decision.

How does cloud architecture handle redundancy?

Cloud platforms expose redundancy through availability zones (multiple data centres within a region) and regions (geographically separated). Architectures designed across multiple availability zones inherit much of the redundancy without explicit work. Multi-region architectures provide stronger protection for critical workloads at higher cost and complexity.

How is redundancy tested?

Through scheduled failover exercises that switch service to the redundant components and confirm continued operation. Test outcomes should include time to fail over, any issues encountered, and verification that failback works as expected. The records form part of the business continuity evidence.

Further Resources