ISO 27001 Annex A 8.17

When system clocks disagree, log analysis becomes guesswork.

ISO 27001 Annex A 8.17 - Clock Synchronisation

Time synchronisation seems mundane until something goes wrong. When clocks across systems disagree, correlating events between systems becomes impossible. A user who appears to log in at 09:01 on one system and perform an action at 09:00 on another may be the victim of an attack with the timeline reversed - or it may just be that the clocks are out of sync.

The control asks for synchronisation to approved time sources. Public NTP servers, internal NTP servers fed from a stratum 1 source, or cloud-provided time services all serve. The principle is consistency - all systems within the estate should agree on the time and that time should be traceable to a reliable source.

Configuration should also include monitoring of synchronisation status. A clock that fails to synchronise can drift over time without anyone noticing. Alerts when systems drift outside acceptable bounds catch the issue before it affects investigation or compliance.

Clock synchronisation gets attention from the audit when log timestamps from different systems do not line up. If the access logs say 14:32 and the application logs say 14:34 for the same event, the audit will ask why and what is being done about it. Where synchronisation is configured and monitored, the question rarely comes up.

Practical Compliance Guidance

Clock synchronisation is described in the IMS1 manual at section 8.3 on IT equipment alongside the wider operational arrangements. NTP configuration provides the operational evidence.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the operational arrangements relevant to clock synchronisation. Use as the source for the time source standards applied across systems.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What time sources are appropriate?

Public NTP services from established providers (NIST, NTP Pool, major cloud providers) are widely used. Larger organisations may run internal NTP servers fed from authoritative external sources to provide consistency across the estate. The choice should be documented in the configuration baseline.

Does this apply to cloud platforms?

Cloud platforms typically synchronise their underlying infrastructure to authoritative sources and expose this to virtual instances by default. The organisation needs to confirm this rather than assume it, and should treat the cloud provider's time service as the time source for cloud-hosted systems.

How often should clocks be checked?

Continuous synchronisation through NTP keeps clocks within acceptable tolerances automatically. Periodic monitoring confirms that synchronisation is actually working and alerts when systems drift outside the acceptable range. Alert thresholds depend on the precision needed for the use case.

Further Resources