Do You Need IS027001 Compliance? Then Check Your Clocks!

1. What is ISO27001 and why is it important?

Organisations working with data need processes and systems for storing, processing and transmitting important data. ISO27001 is the international standard for Information Security Management System (ISMS) processes. It is used by organisations across all sectors to prove to partners, customers and public authorities that their ISMS meets the required standard. 

2. What are the latest ISO27001 guidelines about time? 

The latest guidelines (ISO27002:2022) put more emphasis on how organisations set up their systems to synchronise clocks across networks and devices. The focus is on ensuring that clocks are synchronised to approved time sources, that all networked systems are synchronised with a reference clock and that timestamps are accurate. 

3. Why is accurate and redundant time so important? 

There are many reasons! The latest ISO27001 guidelines specifically mention the importance of correlating and analysing security-related events. Without all devices being synchronised to a reliable source of time, you can’t trust the timestamps from different devices. If you can’t trust the timestamps, you can’t prove the order in which specific events happened. For example: if security cameras, entry/exit logs and other building management systems don’t have timestamps that can be traced back to the same approved time source, you can’t accurately recreate the timeline of a physical robbery. The same is true for any cybersecurity incident. All investigations into information security incidents rely on accurately synchronised and distributed time. 

On a more fundamental level, if the time you use is not secure and reliable, your whole cybersecurity setup is at risk. All digital certificates rely on time. Without time security, your certificates can show up as invalid or even be manipulated by hackers. 

4. How can you ensure your time setup is ISO27001 compliant? 

The latest guidelines call for a number of steps: 

• Use an approved time source, which might include a clock linked to a signal from a national atomic clock distributed over fibre, and/or Global Positioning System (GPS) 
• Use protocols like the Network Time Protocol (NTP) or the Precision Time Protocol (PTP) to keep your networked systems synchronised with a reference clock 
• Monitor your clocks (especially when using multiple cloud services or cloud and on-premises services) and check for discrepancies 
• Use two external time sources (for example GPS and fibre-based time services such as NTP/NTS/PTP) to improve reliability and manage any variance 
• Fully document the setup described above

5. How does Netnod help ensure time that is ISO27001 compliant?

Commissioned by the Swedish Post and Telecom Authority (PTS), Netnod is trusted to distribute Swedish national time, which is known as UTC(SP). This means that all our time services are based on, and traceable to, a national atomic clock. We provide this as a free service over NTP (and the even more secure Network Time Security protocol). For organisations that need guaranteed time accuracy with an SLA, we have a number of services that use PTP to deliver time over dedicated fibre or wavelengths. 

Our time services are also designed to complement another time source, which means you can be sure of redundant time and you can use our time service to monitor the accuracy of other time sources, like GNSS.

Finally, as our time services are monitored by the Swedish Post and Telecom Authority (PTS), we can guarantee the accuracy of the time you get from us which can be easily traced back to Swedish national time. This makes it easier to document that your time setup is ISO27001 compliant.

For more information on how to ensure your time sources are accurate, secure and ISO27001 compliant, contact our experts here.

This article was originally published over on the Netnod blog.