They say that time waits for no one, and that’s what this ISO27001 control is here to ensure. On initial glance it can seem to be a simple control, and you might be confused why this control is needed. However, it’s primary purpose is actually hidden amongst other ISO27001 controls.
What does the standard require?
The standard states that “The clocks of information processing systems used by the organisation shall be synchronised to approved Time sources.” (A8.17 – Clock synchronization)
Why is this required?
In ISO27001 Annex A Controls, (A8.15 - Logging) and (A8.16 - Monitoring Activities) you are required to log and monitor activities on your networks, systems and processing facilities. But how can you be sure that what you’re looking at is accurate? How do you know that someone exfiltrated data at 2am, and it wasn’t a legitimate activity carried out at 2pm?
Unless your systems are synchronised to a trusted time source your trust in the information you’re presented with can never be guaranteed.
This control is also important for basic system monitoring and management, such as ensuring that backup processes and patch management activities are completed as and when expected.
Physical access may also be affected by poor clock synchronisation processes, as door locks and alarms will rely upon accurate timing to allow access to physical locations. Without this control in place, doors may be unlocked, and alarms disabled earlier (or later) than expected, which could lead to business disruption or breaches.
Away from physical access, access control of systems may also be affected as time-locks may prevent users from accessing a system outside of pre-determined times. For example, as part of your ISO27001 Annex A control, (A5.15 - Access Control) you may prevent access to your networks by external IT support teams from 10pm to 6am. This limits your exposure to risks associated to suppliers, which you identified in ISO27001 Annex A control (A5.19 - Information security in supplier relationships).
Keep in mind that if a security incident occurs, one of the important aspects of any investigation will be to build an accurate timeline of events. With the global nature of networks and the users, this has becoming increasingly important.
Keep in mind that you may need to present evidence that an event took place at a specific time, thereby proving someone’s guilt or innocence. If they are operating in a different time-zone to your primary systems this can become increasingly difficult or complex.
This is why this small, seemingly simple control, is extremely important.
What the auditor is looking for
For this ISO27001 control, the auditor will expect to see a variety of security measures that might include;
Systems are synchronised to a single source
NTP or PTP is in use.
Configuration Management processes (A8.19 - Configuration Management).
Legal and contractual requirements have been identified.
Security Incident and Event Management (SIEM) technology.
Intrusion detection and/or intrusion prevention systems (IDS/IPS).
Risk Register.
Audit results.
Incident logs (A5.28 - Collection of evidence).
What do you need to do?
Speak to your IT team to understand what is currently in place. However, if they are not sure, then there are some actions you can take, and a couple of assumptions to make.
It’s important to recognise that most modern computing systems have an internal clock that rarely goes wrong, unless it is externally influenced (i.e. someone deliberately alters the information). By default, network devices will synchronise to an atomic clock, using network-time protocols (NTP) or precision-time protocols (PTP), and this is something your IT function can confirm.
If you’re using various Cloud systems, and different operating systems (such as Macs and PCs), then recognise that this is a risk, and detail it within your risk register. Although they all will be using some form of NTP and PTP, the way they operate will be different and beyond your control.
Due to the complexity and diversity in networks and systems, ISO27001 will accept that you might use two separate time references, but it’s important to know what these are and evidence that they are in place.
Remember that clock synchronisation is also important for physical access control systems, so consider what is relevant to you and your business. If you are using alarms, are these on a time-switch? How is this managed and by whom?
Difficulty rating
We rate this a 1 out of 5 difficulty rating. Beyond ensuring NTP and PTP is in place, there’s not a lot you can do to influence the synchronisation of clocks, but it is your job to ensure it is considered and controlled effectively. The more complex and diverse your network and infrastructure is, the more important this control becomes. If you are concerned about how this is being managed, then speak to your Management Review Team to ensure the risks are understood and appropriate treatment is applied.
Q&A
Do I need a policy?
No, you don’t need a documented policy. However you should ensure that you understand what the controls are, and identify any associated risks. Ensure that you include this within your approach to configuration management, which you detailed in ISO27001 Annex A control (A8.19 - Configuration Management).
More questions?
You’ve probably noticed by now that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.
Комментарии