Clock synchronization for information systems
Ensure all system clocks are set to the same time source to aid in event tracking and investigations.
Plain language
This control is about making sure all the clocks on your organisation's computers and systems are set to the exact same time. This consistency helps when you need to track what happened and when, especially if you're investigating an incident or resolving a dispute. If the clocks are off, it can be hard to prove the sequence of events, which can cause issues with accountability or legal matters.
Framework
ISO/IEC 27001:2022
Control effect
Detective
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
The clocks of information processing systems used by the organization shall be synchronized to approved time sources.
Why it matters
Unsynchronised system clocks hinder accurate log/event correlation, weakening investigations, audit trails and incident response timing.
Operational notes
Configure NTP on all hosts to approved time sources; monitor drift (eg <100 ms) and alert on offsets or NTP failures.
Implementation tips
- The IT Manager should ensure there is a standard reference time source for the organisation. To do this, set up a clock that is linked to a reliable time source, like a national atomic clock or GPS system. Use network protocols, like NTP (Network Time Protocol), to keep all computers and devices synced to this time.
- The IT Department should develop and document a policy for clock synchronisation. This policy should explain why accurate timekeeping is critical and provide steps for maintaining it, including setting up and monitoring time sources according to ISO 27002:2022 guidance.
- Procurement should ensure that all new systems and software purchased support time synchronisation mechanisms. When evaluating suppliers, ask about their products' compatibility with common time-synchronisation protocols like NTP and their ability to work with external reliable time sources.
- System Administrators should regularly check and maintain the synchronisation configuration on networks and individual devices. This includes periodically verifying that all clocks on the systems are correctly aligned with the chosen reference time source.
- Security Officers should monitor the synchronisation process and document any discrepancies. They should implement alerts to detect when a system falls out of sync, ensuring any such issues are investigated promptly to mitigate security risks.
Audit / evidence tips
-
Askthe organisation's clock synchronisation policy and procedures
Gooda clear, well-documented policy that specifies time sources and protocols used
-
Asklogs or reports from the time synchronisation service
Gooduniform time with minimal discrepancies between systems, indicating successful synchronisation
-
Askdocumentation of the external time sources used
Goodthe use of recognised, accurate time sources such as national atomic clocks or GPS systems
-
Askto see records of system checks related to clock synchronisation
Goodregular checks with detailed records and quick resolutions of any noted discrepancies
-
Askevidence of routine training or communication to IT staff about clock synchronisation importance
Goodregular updates or sessions that reinforce the importance and practices of maintaining synchronised clocks
Cross-framework mappings
How Annex A 8.17 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| E8-RA-ML2.7 | E8-RA-ML2.7 requires privileged account and group management events to be centrally logged | |
| E8-RA-ML2.10 | E8-RA-ML2.10 requires cyber security events to be analysed in a timely manner to identify cyber security incidents | |
| E8-AH-ML2.15 | E8-AH-ML2.15 requires timely analysis of cyber security events to identify incidents | |
| extension Depends on (2) expand_less | ||
| E8-AC-ML2.5 | E8-AC-ML2.5 requires allowed and blocked application control events to be centrally logged for monitoring and investigation | |
| E8-AH-ML2.11 | E8-AH-ML2.11 requires that PowerShell module logging, script block logging and transcription events are centrally logged for monitoring a... | |
ASD ISM
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.