Contribute to the cybersecurity survey asking the questions others didn't dare to... Click here

ISO 27001 Control 8.17: Clock Synchronization

Making Sure Your Logs All Tell the Same Story

ISO 27001 Control 8.17 Clock synchronisation is one of those controls that feels very technical and a bit niche – until you have an incident.

If different systems disagree about the time, you’ll quickly find that:

  • Your logs don’t line up
  • Your SIEM can’t correlate events properly
  • Forensic timelines become guesswork
  • Regulators and auditors start asking awkward questions about evidence

Control 8.17 is simply about keeping all relevant system clocks aligned to a trusted time source, and doing it in a way that is secure, reliable and auditable.

What ISO 27001 Control 8.17 Actually Expects

In plain English, ISO 27001 Control 8.17 – Clock synchronisation expects you to:

  • Use consistent, accurate time across your information processing systems
  • Align clocks to an agreed reference (typically via NTP or PTP)
  • Ensure timestamps in logs are reliable enough for event correlation, investigation and compliance
  • Protect your time sources and synchronisation mechanisms from tampering or misuse
  • Monitor and review time synchronisation to catch drift and failures

It underpins a lot of other controls, especially:

  • Logging (8.15)
  • Monitoring activities (8.16)
  • Incident management and forensics
  • Any regulation that relies on time-stamped evidence

Step 1 – Decide How Accurate You Actually Need to Be

Not every organisation needs microsecond accuracy, but every organisation needs consistency.

Start by defining your time synchronisation requirements:

  • Regulatory and audit needs
    • Do you have to meet specific time accuracy requirements (e.g. PCI DSS, financial trading rules)?
    • Are you required to show that audit logs are time-aligned?
  • Security operations and forensics
    • How precise do you need timestamps to be for SIEM correlation and incident timelines?
    • In most environments, being within a few seconds is enough – as long as it’s consistent.
  • Business-critical applications
    • Payment systems, trading platforms, industrial control systems or IoT may need tighter tolerances.
    • Some environments might require PTP or GPS-based time.

Document this as part of your logging/monitoring standard or a small time synchronisation standard. That gives a clear benchmark for “good enough”.

Step 2 – Choose Reliable Time Sources and Architecture

Next, design how time will flow through your environment.

Typical approach under ISO 27001 Control 8.17:

  • External reference sources
    • Use trusted external NTP sources (e.g. national time services, reputable providers).
    • In higher-assurance environments, consider GPS-backed or dedicated hardware time sources.
  • Internal time hierarchy
    • Designate one or more authoritative internal NTP servers that sync to the external reference.
    • Other systems (servers, firewalls, endpoints, etc.) synchronise to those internal servers – not directly to the internet.
  • Redundancy
    • Have at least two independent time sources where possible.
    • In multi-site or multi-region environments, deploy regional NTP servers to reduce latency and improve resilience.

Capture this as a simple time architecture diagram – it’s handy evidence for audits and for troubleshooting.

Step 3 – Apply Time Synchronisation Across All Critical Systems

ISO 27001 Control 8.17 isn’t just about servers – any system that generates security-relevant events should be synchronised.

Make sure you cover:

  • Servers and domain controllers
    • Directory services (e.g. Active Directory) often underpin time for the rest of your estate.
    • Ensure domain controllers synchronise correctly with your chosen NTP servers.
  • Network and security devices
    • Firewalls, routers, switches, VPN gateways, load balancers, proxies, IDS/IPS, WAFs.
    • These generate critical security logs – they must be in sync.
  • Endpoints
    • Workstations, laptops and other client devices should follow domain or central NTP where possible.
  • Applications and databases
    • Where they handle their own time settings or sit in separate zones, confirm they use approved time sources.
  • Cloud and SaaS
    • Most major cloud providers maintain accurate time for platform services.
    • Ensure your own workloads (VMs, containers, managed services you configure) use the correct time zone and NTP settings.
    • Be aware of any time zone offsets in logs (many organisations standardise on UTC for security logs).

The aim: when you line up logs from your SIEM or log platform, the timestamps tell a single, coherent story.

Step 4 – Secure Your Time Synchronisation Setup

Time is a security control here – if an attacker can distort it, they can:

  • Confuse investigations
  • Break authentication and tokens
  • Undermine the integrity of your audit trail

For ISO 27001 Control 8.17 you should:

  • Restrict access to time servers
    • Only allow authorised internal systems to query NTP/PTP.
    • Block or control access from the internet except where explicitly required.
  • Authenticate where feasible
    • Use NTP authentication (e.g. symmetric keys) where your platform supports it.
    • Treat NTP configuration changes as high-impact and subject to change control.
  • Protect external time sources
    • If you use GPS or radio time sources, locate equipment securely and control physical access.
    • Ensure network paths from your time sources are protected and monitored.
  • Control who can change time settings
    • Restrict OS and appliance permissions so only appropriate admins can modify time config.
    • Log any manual time changes or NTP reconfiguration.

This helps ensure that your time synchronisation is trustworthy, not just “roughly right”.

Step 5 – Monitor for Drift, Failures and Oddities

You don’t want to discover a clock problem during an incident.

Under ISO 27001 Control 8.17, good practice is to:

  • Monitor synchronisation status
    • Use your monitoring tools to track:
      • NTP server health
      • Last sync time
      • Offset/drift from reference
  • Set sensible alert thresholds
    • Alert if a critical system drifts beyond an agreed threshold (e.g. more than a few seconds).
    • Alert if a system stops synchronising or starts using an unapproved time source.
  • Log time changes
    • Ensure significant time adjustments are logged (especially manual changes).
    • Include NTP events in your central logging where practical.
  • Test periodically
    • Spot-check key systems by comparing timestamps in different logs for the same event.
    • Include clock issues as a scenario in incident or forensics exercises (“what if this system was five minutes out?”).

If you do ever suffer from clock issues, capture that as a lesson learned and update your standard.

Step 6 – Document and Evidence Clock Synchronisation for ISO 27001

To demonstrate compliance with ISO 27001 Control 8.17, you should be able to show:

  • A written standard or section in your logging/monitoring or infrastructure policy describing:
    • Use of NTP/PTP and external sources
    • Internal time hierarchy
    • Systems in scope
    • Required accuracy and time zone conventions
  • Configuration evidence, such as:
    • Screenshots or config snippets from NTP servers, firewalls, domain controllers, cloud workloads
    • Proof that devices are pointing at the correct internal time sources
  • Monitoring and review evidence
    • Monitoring dashboards or reports showing NTP status and drift
    • Any alerts or issues raised, plus how they were resolved
  • Consistent logs
    • Example logs from different systems that clearly correlate by timestamp in your SIEM or log platform.

That combination shows an auditor that clock synchronisation is designed, implemented, and actively managed, not just assumed.

Quick Implementation Checklist for ISO 27001 Control 8.17

You’re in good shape for ISO 27001 Control 8.17 – Clock synchronisation if:

  • You have a documented approach to time synchronisation (policy/standard).
  • There are one or more authoritative time sources (e.g. internal NTP servers synced to trusted external sources).
  • All relevant systems (servers, network/security devices, key applications, cloud workloads) synchronise to those sources.
  • Time synchronisation is secured (controlled access, protected configuration, authenticated where possible).
  • You monitor clock synchronisation status and drift, with alerts for significant deviations.
  • Manual time changes and NTP configuration changes are logged and controlled.
  • You can show consistent timestamps across logs used for investigations and monitoring.
  • Time synchronisation is periodically reviewed and tested, especially after major infrastructure or cloud changes.

Bringing It All Together

ISO 27001 Control 8.17 – Clock synchronisation – is one of those quiet controls that only gets noticed when it fails.

If you:

  • Design a simple, resilient time architecture,
  • Synchronise all critical systems to trusted time sources,
  • Secure and monitor that synchronisation properly, and
  • Keep clear evidence of how it all works,

you’ll support reliable logging, effective monitoring, and defensible investigations – and you’ll meet the requirements of ISO 27001 Control 8.17 in a way that stands up both technically and to audit scrutiny.

Explore the ISO 27001 Control Group Purposes

Organisational Controls
People Controls
Physical Controls
Technological Controls

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG