Do you have Internet Service Provider (ISP) redundancy?
Explanation
Connectivity resilience is the focus, specifically whether you maintain redundant Internet Service Providers so that one provider's outage does not sever your internet access.
In a security assessment context, ISP redundancy is important because it directly impacts the availability aspect of the CIA triad (Confidentiality, Integrity, Availability). If your organization relies on cloud services, SaaS applications, or needs to maintain continuous external connectivity for your customers or employees, a single ISP failure could cause significant business disruption.
ISP redundancy typically involves:
- Having contracts with two or more different ISP providers
- Implementing automatic failover mechanisms between these providers
- Ensuring the ISPs use different physical infrastructure (different entry points to your facility, different backbone networks)
When answering this question, you should clearly state whether you have ISP redundancy, how many providers you use, whether they're truly independent (different physical infrastructure), and how failover works. If you have partial redundancy (e.g., at some locations but not others), be specific about where redundancy exists and where it doesn't.
Example Responses
Example Response 1
Yes, our organization maintains full ISP redundancy across all our datacenters We contract with three tier-1 ISPs (AT&T, Verizon, and CenturyLink) at each location, with automatic BGP failover configured Each ISP enters our facilities through different physical paths to eliminate single points of failure We conduct quarterly failover tests to ensure our redundancy mechanisms function as expected Our network architecture is designed to maintain 100% uptime even if any single ISP experiences a complete outage.
Example Response 2
Yes, we have ISP redundancy in our primary datacenter with dual providers (Comcast Business and Spectrum Enterprise) These connections use different physical entry points to our facility and are configured with automatic failover using SD-WAN technology Our secondary disaster recovery site also has dual ISPs We test our failover capabilities semi-annually as part of our business continuity exercises and maintain sufficient bandwidth on each connection to handle our full production traffic load.
Example Response 3
No, we currently utilize a single ISP (Comcast Business) for our datacenter connectivity While we have implemented a high-availability service level agreement with our provider that guarantees 99.9% uptime, we recognize this represents a potential single point of failure We mitigate this risk through other means, including maintaining offline backups and having documented manual failover procedures to our disaster recovery site which uses a different ISP We are currently evaluating proposals from secondary ISPs and plan to implement full redundancy within the next 6 months.
Context
- Tab
- Infrastructure
- Category
- Datacenter
Related questions
- Select your hosting option.
- Is a SOC 2 Type 2 report available for the hosting environment?
- Are you generally able to accommodate storing each institution's data within its geographic region?
- Are the data centers staffed 24 hours a day, seven days a week (i.e., 24 x 7 x 365)?
- Are your servers separated from other companies via a physical barrier, such as a cage or hard walls?
- Does a physical barrier fully enclose the physical space, preventing unauthorized physical contact with any of your devices?

