How to Implement ISO 27001 Annex A 8.17

Imagine trying to solve a crime where every witness gives you a different timeline. One says the event happened at 2:00 PM, another swears it was 2:15 PM, and the security camera says 1:30 PM. It would be a nightmare, right? In the digital world, this is exactly what happens when your servers and devices don’t agree on the time.

This is where ISO 27001:2022 Annex A 8.17 steps in. It’s a control that often gets overlooked as a “minor technical detail,” but as any incident responder will tell you, it is absolutely critical when things go wrong.

What is Annex A 8.17?
Why is Clock Synchronisation Critical?
How to Implement Control 8.17
Common Pitfalls to Avoid
Conclusion

What is Annex A 8.17?

Put simply, Annex A 8.17 requires that the clocks of all information processing systems within your organisation are synchronised to a single, approved reference time source. Whether it’s a server in your data centre, a firewall at the network edge, or a laptop in a coffee shop, they all need to be singing from the same hymn sheet when it comes to time.

The standard defines this control as ensuring that “the clocks of information processing systems used by the organisation should be synchronised to approved time sources.”

Why is Clock Synchronisation Critical?

You might be wondering, “Does it really matter if my server is a few seconds fast?” The answer is a resounding yes.

1. Incident Investigation and Forensics

When a security breach occurs, the first thing investigators do is look at the logs. They try to piece together a story: “User A logged in here, then a file was accessed there, then data was exfiltrated.” If the timestamps on these logs don’t match, you can’t correlate the events. A discrepancy of even a few minutes can make it impossible to prove that a specific action caused a specific result.

2. Authentication Protocols

Many security protocols, like Kerberos (used heavily in Windows environments), rely on strict time limits to prevent “replay attacks.” If a server’s clock drifts too far from the domain controller, users might find themselves locked out, causing operational headaches that look like security incidents.

3. Regulatory Compliance

Many regulations, such as PCI DSS (for payment cards) or GDPR, have strict requirements regarding audit trails. If your audit trails are inaccurate because the time is wrong, you could be found non-compliant.

How to Implement Control 8.17

Implementing this control is generally straightforward, but it requires a structured approach to ensure nothing is missed.

Step 1: Define Your Reference Time

You need a “source of truth.” For most organisations, this means Coordinated Universal Time (UTC). Using UTC prevents confusion arising from daylight saving changes or different time zones across international offices. All internal systems should ultimately trace their time back to a reliable external source, such as a Stratum 1 NTP server.

Step 2: Establish a Time Hierarchy

It is rarely a good idea to have every single laptop and server query the internet for the time. Instead, set up an internal hierarchy:

External Source: Your top-level firewalls or core routers sync with a trusted external NTP provider (like pool.ntp.org or a national time service).
Internal Servers: Your domain controllers or central servers sync with those core network devices.
Endpoints: Laptops, desktops, and other devices sync with the domain controllers.

Step 3: Configure Network Time Protocol (NTP)

Ensure that NTP is configured on all devices. For Windows domains, this is often handled automatically by Active Directory, but for Linux servers, routers, and IoT devices, you may need to configure this manually. Make sure you have redundancy—configure at least two internal time sources so that if one fails, devices have a backup.

Step 4: Monitor for Drift

Clocks are not perfect; they “drift” over time. You should monitor your critical systems to ensure they stay in sync. Most monitoring tools can alert you if a server’s time deviates from the reference source by more than a set threshold (e.g., 1 second).

Step 5: Document Your Setup

As with all things ISO 27001, if it isn’t written down, it didn’t happen. You need a policy or a procedure document that states:

What your reference time source is.
Which systems are in scope (hint: it should be all of them).
How you monitor for accuracy.

If you are looking for templates to help document this without starting from scratch, resources like Hightable.io offer comprehensive toolkits that can save you significant time.

DO IT YOURSELF

STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS

The Ultimate ISO 27001 Toolkit

Common Pitfalls to Avoid

Ignoring Cloud Servers: Just because it’s in the cloud doesn’t mean the time is automatically managed for your specific needs. Verify the settings.
Manual Time Updates: Never allow users or admins to change the time manually on servers. This breaks the chain of custody for logs.
forgetting CCTV: Physical security systems like cameras often have their own internal clocks that drift badly. Ensure they are part of your NTP setup so that digital logs match physical evidence.

Conclusion

Clock synchronisation is the invisible glue that holds your security monitoring together. By implementing Annex A 8.17 correctly, you aren’t just ticking a compliance box; you are building a foundation that allows you to detect, understand, and recover from security incidents effectively.

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

How to Implement ISO 27001:2022 Annex A 8.17 Clock Synchronisation

Table of contents