Time is one of the most critical yet overlooked aspects of information security. When you are building your Information Security Management System (ISMS), you will eventually encounter Annex A 8.17. This control deals with clock synchronisation. At ISO27001.com, we often see organisations fail this control simply because they assume their computers handle time automatically. While modern systems do track time, they often drift if they are not managed correctly.
This guide will help you understand what this control is and how to implement it. We will also look at what an auditor will expect to see when they visit your premises.
Table of contents
What is Annex A 8.17?
Annex A 8.17 focuses on clock synchronisation. The official requirement states that the clocks of all relevant information processing systems within an organisation or security domain must be synchronised to a single reference time source. This sounds technical, but the concept is simple. You need to ensure that every server, laptop, firewall, and application is agreeing on exactly what time it is.
If your email server thinks it is 10:00 AM and your firewall thinks it is 10:05 AM, you have a problem. This control ensures that everyone is marching to the beat of the same drum.
Why Time Synchronisation Matters
You might wonder why a few minutes of difference would matter to a security auditor. The answer lies in your logs. When a security incident occurs, you need to investigate what happened. You will look at logs from different systems to piece together the sequence of events. If the timestamps on those logs do not match, it becomes impossible to know what happened first.
Imagine trying to prove that a hacker breached your firewall before they accessed a file. If the file server clock is slow, the logs might show the file was accessed before the firewall was breached. This makes forensic analysis useless. Furthermore, some security protocols rely on time to work. If the time gap is too large, legitimate users might be locked out of the system.
Steps to Implement the Control
Implementing this control is usually straightforward for a beginner. You do not need to buy expensive atomic clocks. You just need to configure your existing technology correctly. Here is how you can approach it.
Define a Reference Time Source
You need to choose a reliable external time source. Most organisations use Network Time Protocol (NTP) servers. You can use public NTP servers provided by reliable bodies or even the NTP servers provided by your cloud provider. The key is that you must pick a standard and stick to it.
Configure Your Systems
Once you have a source, you must configure your systems to sync with it. If you run a Windows domain, your domain controller usually acts as the time source for all joined computers. You just need to ensure the domain controller itself is syncing with an external provider. For Linux servers or network gear like routers and switches, you will likely need to enter the NTP server IP address into the configuration settings.
Document Your Configuration
You must write down your approach. Create a simple topic-specific policy or add a section to your existing technical standards. State clearly which time source you use. This ensures that if a new system administrator joins your team, they know exactly how to configure new servers.
What the Auditor Will Expect
As a certification body, we want to see evidence that you are in control. When we audit Annex A 8.17, we are looking for consistency and proof.
First, we will ask you what your standard time source is. You should be able to name it immediately. If you say you do not know, that is a red flag. We expect you to have this defined in a document.
Next, we will ask to see the settings on a few random systems. We might ask you to open the time settings on a server or a firewall. We want to see that the configuration matches what you told us. We will also check that the time on the screen matches the actual current time.
Finally, we might check your logs. We will look at a log entry from your firewall and a log entry from a server to see if the timestamps align. If we see significant drift between systems, it suggests the control is not working effectively.
Common Pitfalls to Avoid
Do not rely on manual updates. Never rely on a human to set the time. Humans are not accurate enough, and clocks drift naturally over time. Automation is the only way to satisfy this control.
Also, do not forget your isolated networks. If you have a high-security network that does not touch the internet, it still needs accurate time. You may need to set up a dedicated internal time server for that zone.
Summary
Implementing Annex A 8.17 is a quick win for your ISO 27001 project. It improves the reliability of your logs and ensures your security systems function correctly. By defining a standard source and automating the update process, you will satisfy the auditor and improve your security posture.