ISO 27001 A.8.17: Clock synchronization
What This Control Requires
The clocks of information processing systems used by the organization shall be synchronized to approved time sources.
In Plain Language
Imagine investigating a security incident where your firewall logs say one thing happened at 14:02, your application server says it happened at 14:07, and your database says 13:58. You cannot build a reliable timeline, and your forensic investigation falls apart. That is what happens without clock synchronisation. Every system in your environment needs to agree on what time it is. This is not just about log correlation - time-dependent authentication mechanisms like TOTP and Kerberos rely on accurate clocks, and some regulatory requirements mandate timestamp accuracy. The fix is straightforward: synchronise everything to a common, authoritative time source using NTP. It is one of the easiest controls to implement, and one of the most frustrating to deal with when it is missing.
How to Implement
Set up internal NTP servers that synchronise to authoritative external sources - government time services, GPS-based time servers, or reputable public NTP pools. Then point all internal systems at your internal NTP servers to create a consistent hierarchy. Configure NTP on everything: servers, network devices, endpoints, cloud instances, databases, security appliances, CCTV systems, and physical access control systems. For Windows environments, set the Active Directory PDC emulator as the authoritative time source and let domain-joined systems synchronise through the domain hierarchy. Define an acceptable accuracy threshold. For most security purposes, synchronisation within one second is fine. High-frequency logging or regulatory environments may need tighter tolerances. Monitor for systems drifting beyond your threshold and investigate why. Standardise your timestamp format. Log everything in UTC or include timezone identifiers to avoid ambiguity. If you have systems across multiple time zones, UTC-based logging makes correlation vastly simpler. Document your chosen time source, synchronisation hierarchy, and UTC offset conventions. Monitor synchronisation continuously. Alert when systems lose sync. Verify regularly that NTP services are running and healthy. Include time sync checks in your standard system health monitoring. Fix failures promptly - they can indicate network issues or deeper system problems. For cloud environments, use the cloud provider's time synchronisation service (Amazon Time Sync Service, Azure time sync, etc.) and verify it is consistent with your on-premises infrastructure.
Evidence Your Auditor Will Request
- NTP configuration documentation showing time source hierarchy
- System configuration showing NTP client settings on servers and devices
- Time synchronization monitoring alerts and verification records
- Logging configuration showing UTC timestamps or timezone identifiers
- Evidence of time synchronization for security-critical systems
Common Mistakes
- Not all systems are configured for time synchronization with a common source
- Time synchronization is configured but not monitored for drift or failures
- Different systems use different time zones in logs making correlation difficult
- Network devices and security appliances are not included in time synchronization
- No authoritative internal time source, with systems pointing to random external sources
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC7.2 | Partial overlap |
Frequently Asked Questions
What time source should we use?
Should we log in UTC or local time?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment