Implementing ISO 27001 Annex A 8.17 is a foundational security process that ensures clock synchronization across all IT assets. By configuring Stratum 1 upstream sources and strictly enforcing network time protocols (NTP), organizations guarantee that log timestamps are correlated, providing the necessary forensic validity required for effective incident response and audit compliance.
ISO 27001 Annex A Clock Synchronisation Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 8.17. Compliance here is not about uploading a policy to a portal; it is about ensuring every log entry, across every device, correlates to the exact millisecond for forensic validity.
1. Select and Validate Stratum 1 Upstream Sources
Control Requirement: The organisation must identify and use approved external reference time sources.
Required Implementation Step: Select at least three distinct Stratum 1 external NTP servers (e.g., pool.ntp.org regional zones, NPL, or GPS-backed appliances) to prevent false tickers. Hardcode these IP addresses or FQDNs into your core network time servers.
Minimum Requirement: Do not rely on a single default vendor pool; use specific, geographically relevant, verified Stratum 1 sources.
2. Configure Perimeter Firewall Rules (UDP 123)
Control Requirement: Secure the synchronisation traffic and prevent internal devices from querying unauthorized sources.
Required Implementation Step: configure your edge firewall to allow outbound UDP port 123 traffic only from your designated internal time servers (e.g., Domain Controllers or Core Switches). Block all other internal IP addresses from querying external NTP servers directly to force the internal hierarchy.
Minimum Requirement: A “Deny All” rule for outbound UDP 123, with specific exceptions for your core time servers only.
3. Configure the PDC Emulator (Active Directory Root)
Control Requirement: Ensure a single source of truth for the Windows Domain environment.
Required Implementation Step: Locate the Domain Controller holding the PDC Emulator FSMO role. Manually configure its Windows Time service (W32Time) to synchronise with the external Stratum 1 sources defined in Step 1 using the command line (w32tm /config /manualpeerlist:…).
Minimum Requirement: The PDC Emulator must not use the Local CMOS Clock; it must sync externally.
4. Enforce Hierarchy via Group Policy Objects (GPO)
Control Requirement: Internal systems must synchronise to the approved internal time source.
Required Implementation Step: Create a GPO linked to the entire domain that sets the NTP server to NT5DS (follow domain hierarchy). This forces all Windows member servers and workstations to pull time from the Domain Controllers, not the internet.
Minimum Requirement: No local overrides allowed; time configuration must be locked by GPO.
5. Configure Linux and Unix Environments (Chrony/NTPd)
Control Requirement: Non-Windows systems must adhere to the same time standard.
Required Implementation Step: Edit the /etc/chrony.conf or /etc/ntp.conf files on all Linux assets. Point the server directives to your internal Domain Controllers or core network switches, not external pools. Restart the daemon and verify sync with chronyc sources.
Minimum Requirement: Configuration files must be managed via configuration management (Ansible/Puppet) to prevent drift.
6. Synchronise Network Infrastructure (Switches/Routers)
Control Requirement: Network logs must match server logs for correlation.
Required Implementation Step: Access the command line of all core switches, routers, and firewalls. Set their NTP server preference to your internal time sources. Ensure the timezone is set to UTC to avoid Daylight Saving Time logging gaps.
Minimum Requirement: All network devices must operate on UTC, regardless of physical location.
7. Integrate Physical Security Systems (CCTV & Biometrics)
Control Requirement: Physical access logs must correlate with digital access logs.
Required Implementation Step: Log into the NVR (Network Video Recorder) and Access Control panels. Hardcode their NTP settings to point to the internal gateway or management server. Verify that the on-screen display (OSD) time matches your server logs exactly.
Minimum Requirement: CCTV timestamps must not drift; evidence is inadmissible if the time is incorrect.
8. Configure Cloud Infrastructure (AWS/Azure)
Control Requirement: Virtualised environments must maintain sync despite hypervisor pauses.
Required Implementation Step: For AWS, configure the Amazon Time Sync Service (link-local IP 169.254.169.123). For Azure, ensure the Time.gov or internal hybrid NTP links are prioritised over the host time if necessary, though hypervisor sync is often default.
Minimum Requirement: Do not assume the cloud provider manages OS-level time; verify chrony or w32tm source.
9. Implement Drift Monitoring and Alerting
Control Requirement: Detect and correct loss of synchronisation immediately.
Required Implementation Step: Configure your monitoring stack (Nagios, Zabbix, Datadog) to query the time offset of every critical server. Set a trigger to alert the infrastructure team if the offset exceeds 1000ms (1 second).
Minimum Requirement: An automated alert must fire before the drift impacts Kerberos authentication (5 minutes).
10. Validate Log Correlation
Control Requirement: Verify the effectiveness of the synchronisation for investigations.
Required Implementation Step: Perform a manual test: Trigger a login event on a workstation, a firewall change, and a server file access simultaneously. Export the logs from all three systems and confirm the timestamps align within a 1-second window.
Minimum Requirement: Proof of synchronisation requires matching logs, not just a screenshot of a configuration setting.
ISO 27001 Annex A 8.17 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Stratum 1 Upstream Source | GRC tool asks: “Do you use NTP?” (Yes/No). | You clicked “Yes”, but your firewall is blocking UDP 123, so the server is actually using its drifting CMOS clock. |
| Internal Hierarchy | Uploading a “Time Sync Policy” document to the portal. | Without GPO enforcement, a developer manually changed the time on a server to test a cron job and never changed it back. |
| Forensic Validity | The dashboard shows a green “Compliant” status. | During a breach, the firewall logs are 4 minutes ahead of the AD logs, rendering the timeline impossible to reconstruct. |
| Endpoint Drift | “All laptops are domain joined.” | Remote workers rarely connect to VPN. Their local clocks drift, and their logs become useless for incident response. |
| CCTV Integration | Listing CCTV in the asset register. | The CCTV system was installed by a 3rd party who left it on the factory default time (often years in the past). |
| Virtualisation Issues | Assuming AWS/Azure handles it automatically. | Virtual machine clocks “jump” after snapshots or vMotion events. Without a running NTP daemon correcting this, drift is instant. |
| Alerting | Reviewing the policy annually. | Unless you have active monitoring (e.g., Zabbix) alerting on >1s drift, you won’t know the clock is wrong until Auth fails. |
DO IT YOURSELF ISO 27001
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
About the author
