Critical systems must have synchronized clocks whose configuration is protected and comes from industry-accepted sources.
Systems must properly record exceptional and security events in protected logs. This allows administrators to find bugs and makes it easier for forensics teams to determine how a system was compromised. However, if clocks are not properly synchronized, it can be very difficult to compare log files from different systems in order to establish the event sequence that led to the security incident.
CIS Controls. 6.1 Utilize Three Synchronized Time Sources: Use at least three synchronized time sources from which all servers and network devices retrieve time information on a regular basis so that timestamps in logs are consistent.
ISO 27001:2013. Annex A - 12.4.4: Synchronize all information processing and security systems clocks using a single reference source.
PCI DSS v3.2.1 - Requirement 10.4.1: Critical systems have the correct and consistent time.
PCI DSS v3.2.1 - Requirement 10.4.2: Time data is protected.
PCI DSS v3.2.1 - Requirement 10.4.3: Time settings are received from industry-accepted time sources.