A.8.14 Redundancy of Information Processing Facilities

What is this control?

ISO 27001 control A.8.14 Redundancy of Information Processing Facilities ensures availability of information processing facilities by protecting against failures through sufficient redundancy at component, data-centre, and regional levels. The control differentiates between Cloud Platform SaaS where infrastructure redundancy is managed by Microsoft and Cloud Infrastructure IaaS/PaaS where redundancy must be explicitly designed and configured.

How to implement in Microsoft 365

Implement A.8.14 by validating Microsoft 365 geo-redundancy through supplier governance reviewing SOC 2 Type II reports, Service Trust Portal, and supplier agreements per A.5.19. For Azure Compute, deploy critical VMs across Availability Zones which are physically separate data centres within a region and distribute traffic using Azure Load Balancer. For Azure Storage, configure all storage accounts with Zone-Redundant Storage or Geo-Redundant Storage for automatic replication.

For Azure SQL Databases, configure Zone-Redundant high-availability or Geo-Replication Failover Groups. Implement Azure Traffic Manager or Azure Front Door for geo-routing and regional failover.

What an auditor looks for

Auditors will verify Microsoft 365 geo-redundancy is validated through SOC 2 Type II reports and Service Trust Portal. They will check Azure VMs are deployed across Availability Zones with load balancing. Auditors will verify storage accounts are configured with ZRS or GRS replication.

They will check Azure SQL Databases have zone-redundancy or geo-replication failover groups. Auditors will verify Azure Traffic Manager or Front Door is configured for geo-routing. They will check business continuity plan includes redundancy testing procedures with evidence of failover capability testing.