During a forensic investigation, the analyst tries to reconstruct a lateral movement sequence across four servers. Each server’s logs tell a different story about the order of events — because their clocks differ by up to twelve minutes. The timeline becomes unusable. A.8.17 requires that all systems synchronize their clocks to an approved, authoritative time source.
Clock synchronization is a small, often overlooked control with outsized impact. Every other detective control — logging, monitoring, alerting — depends on accurate, consistent timestamps.
What does the standard require?
- Define an authoritative time source. Select a reliable, trusted reference: national time service, GPS or a dedicated time server.
- Synchronize all systems. Every information processing system must synchronize its clock to the approved source using NTP or PTP.
- Use redundant time sources. Where feasible, use two independent time sources to improve accuracy and resilience.
- Monitor for drift. Detect and alert on systems whose clocks deviate beyond an acceptable threshold.
- Document the configuration. Record which time source is used, how synchronization is configured and what the acceptable drift tolerance is.
In practice
Deploy internal NTP servers. Set up at least two internal NTP servers synchronized to external authoritative sources (e.g., PTB in Germany: ptbtime1.ptb.de). All other systems synchronize against these internal servers — not directly against the internet.
Configure NTP on every system. Ensure NTP is active on every server, workstation, network device and cloud instance. Use configuration management (A.8.9) to enforce NTP settings consistently across the estate.
Monitor NTP synchronization status. Include NTP health in your monitoring (A.8.16). Alert when a system’s clock drifts beyond the defined threshold (typically 1-2 seconds for general systems, milliseconds for time-sensitive applications).
Align time zones and formats. Store all log timestamps in UTC to avoid confusion during investigations that span time zones. If local time is used, always include the UTC offset.
Typical audit evidence
Auditors typically expect the following evidence for A.8.17:
- Time synchronization policy — documented time source, protocol and drift tolerance (see IT Operations Policy in the Starter Kit)
- NTP configuration — evidence showing NTP client configuration on systems
- NTP server status — verification that NTP servers are synchronized and healthy
- Drift monitoring — alerts or reports showing clock synchronization status
- Timestamp format standard — documented use of UTC or consistent time zones in logs
KPI
Percentage of systems synchronized to an authoritative time source
Measured as a percentage: how many of your systems have NTP configured and are within the acceptable drift tolerance? Target: 100%.
Supplementary KPIs:
- Maximum observed clock drift across the estate
- Number of systems with NTP synchronization failures per month
- NTP server uptime and reachability
BSI IT-Grundschutz
A.8.17 maps to BSI modules for logging and time management:
- OPS.1.1.5 (Logging) — requires synchronized time stamps on all log sources as a prerequisite for meaningful log analysis.
- OPS.1.2.6 (NTP Time Synchronization) — dedicated module for time synchronization requirements.
Related controls
- A.8.15 — Logging: Log timestamps must be accurate for logs to be useful.
- A.8.16 — Monitoring Activities: Monitoring correlation depends on synchronized clocks.
- A.8.5 — Secure Authentication: Kerberos authentication fails when clock drift exceeds 5 minutes.
Sources
- ISO/IEC 27001:2022 Annex A, Control A.8.17 — Clock synchronization
- ISO/IEC 27002:2022 Section 8.17 — Implementation guidance for clock synchronization
- BSI IT-Grundschutz, OPS.1.2.6 — NTP Time Synchronization