The basics
ISO 27001 control A.8.17 Clock synchronization requires companies to use the same time sources for all their information systems. This way the sequence of activities in various systems can be tracked and compared for the purpose of in-depth analysis.
Documentation
ISO 27001 control A.8.17 Clock Synchronization can be documented:
- for smaller and mid-sized companies by writing a Security Procedures for IT Department
- for larger companies by writing a Clock Synchronization Procedure
These documents are not mandatory, but are recommended.
Implementation
In order to comply with control A.8.17 Clock synchronization you might implement the following:
- Technology — the technology to enable clock synchronization could include software (e.g., Network Time Protocol) and hardware (e.g., time reference server). Companies of all sizes will probably be able to perform clock synchronization by using time synchronization features built in their servers and endpoint devices.
- Organization/processes — you should set up a process for documenting time reference requirements, defining time reference standards, and synchronizing internal clocks. You can document those processes through Security Procedures for IT Department or a Clock Synchronization Procedure.
- People — make employees aware of why keeping time synchronized between several assets is needed, and train IT staff on how to configure reference standards and how to synchronize internal clocks.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.17 Clock synchronization: if all information systems use the same time sources.
