ISO 27001 Annex A 8.17: Why Time Travel is Bad for Security
Einstein might have said that time is relative, but if you say that to an ISO 27001 auditor, you are going to have a bad day. In the world of information security, time needs to be absolute. This brings us to Annex A 8.17: Clock Synchronisation.
It sounds like one of the most boring controls in the book. You might be thinking, “My computer knows what time it is, why does this need a policy?” But this small control is the glue that holds your entire incident response strategy together. If your clocks are drifting, your ability to investigate a hack drifts away with them.
Table of contents
What is Annex A 8.17?
In simple terms, this control requires that the clocks of all information processing systems within your organisation or security scope are synchronised to a single reference time source. This covers everything from your servers and firewalls to your employee laptops and physical security logs.
The goal is consistency. If your firewall thinks an attack happened at 10:00 AM, but your server thinks the login attempt happened at 10:05 AM, you have a five-minute gap where you have no idea what actually happened first. You can find the official text and context for this control on ISO27001.com.
Why Does Clock Synchronisation Matter?
Imagine you have suffered a data breach. You are trying to piece together the forensic timeline. You look at your logs:
- Door Access System: Suspect enters the building at 09:00.
- Server Log: Suspect logs in at 08:58.
- CCTV System: Suspect sits at desk at 09:02.
If the server clock is fast, it looks like they logged in before they even entered the building. This “time travel” makes your evidence inadmissible in court and makes it impossible for your security team to correlate events. Without accurate timestamps, you cannot accurately reconstruct the sequence of events during a security incident.
How to Implement Clock Synchronisation
The good news is that this is one of the easier technical controls to implement. You generally don’t need to buy expensive new software; you just need to configure what you already have correctly.
1. Choose a Reference Time Source
You need a “source of truth.” This is usually a standard external time source or a reliable internal NTP (Network Time Protocol) server that syncs with an external source. Common external sources include national atomic time standards or reputable public NTP pools.
2. Configure Network Time Protocol (NTP)
Ensure that all your servers, workstations, and network devices are configured to poll this reference source. For a typical Windows domain environment, endpoints will sync with the Domain Controller, and the Domain Controller should sync with the external reference.
3. Don’t Forget the Cloud
If you are using AWS, Azure, or Google Cloud, they handle the underlying hardware clocks, but your virtual machine instances still need to be configured to check the time. Don’t assume it happens by magic.
4. Physical Security Systems
This is where most people fail the audit. Your CCTV cameras and biometric door scanners often run on their own proprietary systems. Ensure their internal clocks are also pointing to your central NTP server. There is nothing worse than CCTV footage that is an hour out because nobody updated it for Daylight Savings Time.
Common Challenges and Gotchas
Drift: Hardware clocks are notoriously cheap and inaccurate. They “drift” over time. If a device loses its connection to the NTP server, it can drift by seconds or minutes a day. You need monitoring in place to alert you if a device fails to sync for an extended period.
Time Zones: Standardise on UTC (Coordinated Universal Time) for your system logs where possible. If you have offices in London, New York, and Tokyo, and everyone logs in “local time,” piecing together a global attack becomes a mathematical nightmare.
Conclusion
ISO 27001 Annex A 8.17 isn’t just about punctuality; it’s about integrity. By ensuring every device in your network beats to the same drum, you ensure that when things go wrong, you have a reliable history of the truth. Configure your NTP, check your logs, and stop the time travel before it starts.
