Ensure Accurate Time Source for Event Logs
Logs must use a reliable time source for accuracy and consistency.
Plain language
This control means that when your computer systems record events or actions, they must use a reliable clock to timestamp these logs. This is important because if your system logs the wrong time for these events, it could make finding out what happened during an incident nearly impossible and lead to major disruptions or data breaches being overlooked.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system monitoringSection
Event logging and monitoringOfficial control statement
An accurate and consistent time source is used for event logging.
Why it matters
If systems do not use a consistent accurate time source, event logs cannot be reliably correlated, causing incorrect incident timelines and delaying investigations.
Operational notes
Configure all hosts to synchronise with approved NTP sources and routinely confirm drift is within tolerance so event logs share a consistent, accurate timestamp.
Implementation tips
- The IT team should select a reliable time source: Choose a trustworthy and accurate clock, like the official time provided by a government body such as the National Measurement Institute (NMI), to set the system time for your computer networks.
- System administrators should configure all devices: Ensure that all servers, desktops, and other devices on your network are set to the same reliable time source to maintain consistency across the organisation’s systems.
- Managers should regularly review time settings: Schedule routine checks to confirm that all devices are still set to the agreed-upon time source. This can prevent drifts or changes that could occur over time.
- The IT team should document time configurations: Keep a record of which time source is used and how each device or system is set to receive this time. This helps in troubleshooting when issues arise.
- System owners should include time source verification in audits: Make checking the time settings part of regular system audits to ensure ongoing compliance with this control.
Audit / evidence tips
-
Aska list of configured time sources: Request a document or report showing the time source settings of critical systems and devices within the organisation
-
GoodAll critical systems are configured to the same accurate time source, with clear records of this configuration
-
Askrecords of time accuracy checks: Request logs or records of regular time verification checks on the systems
-
GoodRegular, documented checks are in place, showing consistent time across systems, with actions taken if issues were found
-
Askthe configuration management policy: Request the policy document that includes guidelines for setting and maintaining time sources on systems
-
GoodA detailed policy that mandates using a reliable time source, with steps for regular verification
-
Askto demonstrate time-setting on a sample device: Request a live demonstration of how the time source is set and updated on a random device within the network
-
GoodThe device shows the correct time source matching documented settings and procedures are followed correctly
-
Askevidence of staff training: Request records showing staff responsible for system configurations have been trained on time source management
-
GoodComprehensive training records showing that all relevant staff attended sessions and understood time source management
Cross-framework mappings
How ISM-0988 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.17 | Annex A 8.17 requires synchronisation of information system clocks to approved time sources | |
| handshake Supports (2) expand_less | ||
| Annex A 5.28 | ISM-0988 requires an accurate and consistent time source for event logging so timelines derived from logs are defensible | |
| Annex A 8.15 | ISM-0988 requires an accurate and consistent time source to be used for event logging to ensure timestamps are trustworthy | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-RA-ML2.7 | E8-RA-ML2.7 requires privileged account and group management events to be centrally logged | |
| E8-AH-ML3.4 | E8-AH-ML3.4 requires organisations to analyse event logs from non-internet-facing servers in a timely manner to detect cyber security events | |
| extension Depends on (3) expand_less | ||
| E8-AC-ML2.5 | E8-AC-ML2.5 requires central logging of allowed and blocked application control events to support monitoring and response | |
| E8-MF-ML2.8 | E8-MF-ML2.8 requires organisations to analyse event logs from internet-facing servers in a timely manner to detect cyber security events | |
| E8-AH-ML2.11 | E8-AH-ML2.11 requires central logging of detailed PowerShell execution artefacts so they can be monitored and investigated | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.