Redundancy of Information Processing Facilities
Ensure systems have backups to avoid downtime and data loss.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Preventative
🧱 ISO 27001 domain
Technological controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
30 Mar 2026
🎯 Maturity levels
N/A
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.
Source: ISO/IEC 27001:2022
Plain language
This control ensures that your computer systems have backups or duplicates, so they keep running even if something fails. Without this, a single failure could stop your business operations and result in lost data, hurting your ability to serve customers and keep your business running smoothly.
Why it matters
A lack of redundancy can lead to extended downtimes, resulting in lost revenue and diminished trust from customers relying on your services.
Operational notes
Redundancy systems need regular testing and updates to adapt to changing business needs and infrastructure updates.
Implementation tips
- IT Manager should assess availability requirements for critical systems. This means identifying what systems need to be operational continuously and determine the acceptable downtime for each system. Use Australian regulations for guidance on critical infrastructure.
- Procurement should partner with multiple reliable network suppliers. This reduces risk by ensuring you have backup internet and communication lines from different providers in case one fails.
- IT Staff should establish redundant systems in separate locations. Set up a second data centre that automatically mirrors the main one, ensuring data is available even if one facility encounters an issue.
- IT Support should configure systems with duplicate critical hardware components. This includes setting up servers with multiple power supplies and hard drives, so if one part fails, the other can keep things running.
- IT Manager should implement monitoring and alert systems. Use software to detect failures quickly and trigger alerts to IT staff, ensuring they can respond and prevent downtime before it affects business functions.
Audit / evidence tips
-
Ask: the disaster recovery plan and redundancy strategy documentation. Check for a clear outline of redundancy measures for critical systems and components. Good documentation will specify systems'' redundancy requirements and their implementation
-
Look at: systems identified as having redundant processes, checking for duplicated components
Good: setup will show geographically and physically separate redundancies for major systems
-
Ask: reports from backup and failover tests. Verify these tests are scheduled and conducted regularly, showing results of successful and unsuccessful tests
Look at: successful tests demonstrating that redundancy systems function as required
- Request contracts with network providers showing redundancy agreements. Ensure these contracts specify clear service level agreements (SLAs) for failover capabilities and secondary connections. Good contracts include provisions for redundancy to ensure continuous service.
-
Ask: monitoring system logs that track system component health and failures. Review alerts and incident responses to confirm timely handling of system issues. Good results show prompt detection and resolution of issues to prevent downtime
Cross-framework mappings
How Annex A 8.14 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Supports (1) | ||
| ISM-1405 | Annex A 8.14 requires systems to use synchronised clocks against an authorised time source to ensure timestamps can be trusted and correl... | |