Because the purpose of this ISO27001 control is to ensure the continuous operation of information processing facilities, this control feels as though it should sit alongside the other controls related to Business Continuity. ISO27001 Annex A controls like (A5.30 - ICT Readiness for Business Continuity) and (A5.24 - Information security incident management planning and preparation) all deal with ensuring you have considered resilience within your processing facilities.
So what makes this ISO27001 control different from these other controls?
What does the standard require?
The standard states that “Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.” (A8.14 – Redundancy of information processing facilities)
Why is this required?
From time-to-time, systems fail. Without consideration of this ISO27001 control, you are at risk of losing critical information or services if there is an outage that affects your systems. For example, if a power outage takes down your primary systems, you risk disruption of your products or services until you can fully recover.
This scenario could have financial implications, but most certainly would affect your reputation, as you have to explain delays in your service capabilities.
What the auditor is looking for
For this ISO27001 control, the auditor will expect to see;
Data Classification scheme (A5.12 - Classification of information).
Redundancy of processing facilities.
Use of Cloud as a backup solution (A5.23 - Information Security for use of Cloud Services).
Inventory of informational assets (A5.9 - Inventory of information and other associated assets).
Backup Policy (A8.13 – Information backup).
Backup processes.
Backup solutions and technology.
Evidence of recovery tests (of data).
Business Impact Assessments (BIA) (A5.30 - ICT Readiness for Business Continuity).
Risk Register.
Management Review Meeting minutes and actions.
What do you need to do?
If you haven’t completed some form of Business Impact Analysis, you should do this in order to understand the impact of losing critical information. This may have been completed as part of ISO27001 Annex A Control (A5.30 - ICT Readiness for Business Continuity), when you put the inventory of assets together Annex A Control (A5.9 - Inventory of information and other associated assets), or when you developed the data classification scheme (A5.12 - Classification of information).
This will require conversations with the business, to understand the importance of the data, and with IT to understand what redundancy is in place.
Keep in mind that redundancy can exist within the network or physical infrastructure. For example, dual power feeds into your building can ensure that if one power source is lost, the other can take up the load. This is the same with the network redundancy. You might also incorporate technical redundancy within the systems that you use, such as implementing a fully supported 'live/live' or fail-over design, where the systems are geographically separated.
The important thing to keep in mind is that you’re looking to establish what is in place as a redundant backup for your primary systems. If you use Cloud services, you might find that this is sufficient, as the very purpose of Cloud is to ensure redundancy is in place. This is something you would have established when implementing ISO27001 Annex A control (A5.23 - Information Security for use of Cloud Services).
If possible, test the redundant systems so that you know they will operate as expected, if needed.
Difficulty rating
We rate this a 1.5 out of 5 difficulty rating. This isn’t a hard control to implement but it requires conversations with the business to understand what is critical, and with IT to understand what is in place.
Q&A
If I only use Cloud for storage, do I need to worry about this control?
It is still relevant and applicable to your organisation, so you should document what is in place. If you feel that you have some exposure in this area you should add it to your risk register and treat the risk appropriately.
More questions?
You’ve probably noticed by now that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.