In this guide, I will show you exactly how to implement ISO 27001 Annex A 8.17 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 8.17 Clock Synchronisation
ISO 27001 Annex A 8.17 requires that the clocks of all relevant information processing systems (servers, laptops, firewalls, databases) are synchronized to a single, consistent time source. This ensures that timestamps in your system logs are accurate, which is vital for incident investigation, forensic evidence, and meeting legal or regulatory requirements.
Core requirements for compliance include:
- Single Trusted Source: You must use an authoritative time source (e.g., an atomic clock or a trusted provider like Google, Microsoft, or a national laboratory). All your devices should sync to this central “Golden Clock.”
- Network Time Protocol (NTP): This is the industry-standard method for syncing clocks over a network. You should prove that NTP is configured on all servers and network hardware.
- Consistency in Logs: If an incident occurs, you need to be able to correlate events. If your firewall says an attack happened at 10:00 AM, but your database says it was 10:05 AM, your “forensic trail” is broken.
- Legal Admissibility: Accurate timestamps are required if you ever need to use logs as evidence in a court of law or for a regulatory filing.
Audit Focus: Auditors will look for “The Time Drift”:
- Configuration Check: They will ask to see the NTP settings on a random server.
- The Proof: “Show me that your server time matches the actual current time in your region.”
- The Chain: If you operate globally, how do you handle Time Zones? (Usually, systems should be set to UTC to maintain a universal baseline).
Clock Sync Best Practices:
| Setting | Recommendation | Why it matters |
| Protocol | Use NTP or SNTP. | It is the automated standard for time sync. |
| Time Source | Use a trusted external source (e.g., pool.ntp.org). | Ensures your company isn’t drifting away from real-world time. |
| Standard Time | Set server clocks to UTC. | Prevents confusion during Daylight Savings or across global offices. |
| Monitoring | Check for sync failures. | Alerts you if a server stops receiving time updates and starts to “drift.” |
Table of contents
- Key Takeaways: ISO 27001 Annex A 8.17 Clock Synchronisation
- What is ISO 27001 Annex A 8.17?
- ISO 27001 Annex A 8.17 Free Training Video
- ISO 27001 Annex A 8.17 Explainer Video
- ISO 27001 Annex A 8.17 Podcast
- How to implement ISO 27001 Annex A 8.17
- Recommended NTP Sources
- What will an auditor check?
- Fast Track Compliance with the ISO 27001 Toolkit
- Related ISO 27001 Controls
- Further Reading
What is ISO 27001 Annex A 8.17?
ISO 27001 Annex A 8.17 is about clock synchronisation which means that the time on all your devices should be exactly the same and centrally managed.
ISO 27001 Annex A 8.17 Clock Synchronisation is an ISO 27001 control that requires us to ensure the all the clocks of all systems are synchronised to an approved time source.
ISO 27001 Annex A 8.17 Purpose
ISO 27001 Annex A 8.17 is a detective control to enable the correlation and analysis of security-related events and other recorded data, and to support investigations into information security incidents.
ISO 27001 Annex A 8.17 Definition
The ISO 27001 standard defines ISO 27001 Annex A 8.17 as:
The clocks of information processing systems used by the organisation should be synchronised to approved time sources.
ISO27001:2022 Annex A 8.17 Clock Synchronisation
ISO 27001 Annex A 8.17 Free Training Video
In the video ISO 27001 Clock Synchronisation Explained – ISO27001:2022 Annex A 8.17 I show you how to implement it and how to pass the audit.
ISO 27001 Annex A 8.17 Explainer Video
In this beginner’s guide to ISO 27001 Annex A 8.17 Clock Synchronisation, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.
ISO 27001 Annex A 8.17 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001:2022 Annex A 8.17 Clock Synchronisation. The podcast explores what it is, why it is important and the path to compliance.
How to implement ISO 27001 Annex A 8.17
The whole point of this control is so that everything is synchronised and that it is reporting and recording and using the same time. This information is used in information security incidents and at the most extreme case in investigations. It is part of evidence gathering and would need to be in place for criminal investigations.
The advice here would be to speak with your technical teams on the best approach and best technology to use.
The need may arise from legal, regulatory, statutory, contractual, standards and internal monitoring needs. So this would be the first place to look to see if there is anything specific that you need to do.
The basic premise is to get all clocks of all devices on the same page. This includes things you might not consider such as building entry systems or surveillance systems.
It is probably more practical to have all devices of a type synced to the same source rather than every device of every type connected to the same source. Some systems may use there own time source for example. A clock for each service is acceptable with any difference recorded in order to mitigate the risk of discrepancies.
The advice of the standard talks of linking to a radio time broadcast from a national atomic clock or global positioning system (GPS) and protocols such as networking time protocol ( NTP ) or precision time protocol (PTP) to keep all networked systems in synchronisation with a reference clock.
For small organisations a lot of this can be overkill and it would be the advice to pursue the most technically simple option available.
Recommended NTP Sources
- Public Internet:
pool.ntp.org - AWS Cloud:
169.254.169.123(Amazon Time Sync) - Google Cloud:
time.google.com - Azure:
time.windows.com
What will an auditor check?
The audit is going to check a number of areas. Lets go through the main ones
1. That you have documentation
What this means is that you need to show that you have documented your clock synchronisation. This may be just recording what you do but be sure to understand how your clocks are synchronised and be able to show it.
2. That you have have implemented clock synchronisation appropriately
They will look at systems to seek evidence of clock synchronisation. They want to see evidence of clock synchronisation and the process in operation. It maybe that they look for evidence that you have used it as part of information security incident management.
3. That you have conducted internal audits
The audit will want to see that you have tested the controls and evidenced that they are operating. This is usually in the form of the required internal audits. They will check the records and outputs of those internal audits.
Fast Track Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 8.17 (Clock synchronisation), the requirement is to ensure that the clocks of all information processing systems are synchronised to approved time sources. This is a critical detective control – without unified time, correlating logs during an incident investigation is nearly impossible.
While SaaS compliance platforms often try to sell you “continuous monitoring” modules to track system time, the High Table ISO 27001 Toolkit provides the logical, time-saving solution by focusing on the governance, the policies and procedures, that prove to an auditor you have a synchronised and managed environment.
Here is why the Toolkit is the smarter choice for complying with Annex A 8.17:
1. Ownership: You Own Your Time Synchronisation Policy Forever
SaaS platforms act as a middleman for your compliance data. If you define your time synchronisation standards inside their proprietary system, you are essentially renting your own architectural rules.
- The Toolkit Advantage: You receive the Clock Synchronisation Policy and Logging and Monitoring Procedures in fully editable Word/Excel formats. These files are yours forever. You maintain permanent ownership of your standards (such as using NTP pool or cloud-native time sync), ensuring your audit evidence is always accessible on your own systems without an ongoing subscription.
2. Simplicity: Governance for the Tech You Already Use
Annex A 8.17 requires you to use an approved time source (like pool.ntp.org or AWS/Azure Time Sync). You don’t need a complex SaaS dashboard to tell you that your servers are syncing to the cloud.
- The Toolkit Advantage: Your technical team likely already has NTP or PTP configured. The Toolkit provides the Clock Synchronisation Policy template that formalises what they are already doing. It validates your current technical reality without forcing your team to learn a new piece of compliance software just to record that “time is synced.”
3. Cost: A One-Off Fee vs. Unnecessary Recurring Costs
Many SaaS tools charge a monthly fee to monitor “infrastructure health,” which includes clock sync. Paying a recurring cost for a static technical configuration is an inefficient use of budget.
- The Toolkit Advantage: You pay a single, one-off fee for the entire Toolkit. Whether you have five servers or five hundred, the cost of your Clock Synchronisation Documentation remains the same. You save your budget for the actual security infrastructure rather than a platform to document it.
4. Freedom: No Vendor Lock-In for Your Infrastructure
SaaS tools often mandate specific monitoring integrations. If your network uses specialized hardware (like GPS-linked atomic clocks) or unique cloud configurations, a generic SaaS tool may not accurately reflect your setup.
- The Toolkit Advantage: The High Table Toolkit is technology-agnostic. You can edit the Synchronisation Procedures to match exactly how you operate, whether you use public internet NTP pools, cloud-native time sync, or local radio time broadcasts. You define the standards that fit your business, giving you the freedom to evolve your infrastructure without reconfiguring a compliance tool.
Summary: For Annex A 8.17, the auditor wants to see that you have a policy for clock synchronisation and that you follow it. The High Table ISO 27001 Toolkit provides the governance framework to do exactly that. It is the most direct, cost-effective way to satisfy the requirement with professional, permanent documentation that you own and control.
Related ISO 27001 Controls
ISO 27001 Annex A 8.4 Access To Source Code
ISO 27001 Clause 7.3 Awareness
Further Reading
ISO 27001 Logging and Monitoring Policy Beginner’s Guide
How To Create an ISO 27001 Threat Intelligence Process and Report
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
