Information security determines both what needs to be protected and how protection should be applied. The first part is understanding information assets, their value, their sensitivity, their owners, their business purpose, and the consequences if they are disclosed, altered, lost, or unavailable. This answers what must be protected and why. The second part is understanding threats, vulnerabilities, risk levels, legal obligations, contractual duties, and control options. This answers what the information must be protected from and how security controls should be designed. ISO/IEC 27002 supports both dimensions. Asset inventory and classification clarify protection needs. Access control, cryptography, backup, logging, network security, secure development, incident management, and physical security define protection methods. Option A is correct but incomplete. Option B is also correct but incomplete. Option C is therefore the verified answer because information security is a complete discipline covering asset understanding, risk understanding, control selection, implementation, monitoring, and improvement. The ISO/IEC 27002 control set is structured to support that full protection lifecycle. References/Chapters: ISO/IEC 27002:2022, Control 5.9 Inventory of information and other associated assets; Control 5.12 Classification of information; Controls 5–8.

Control 7.9, Security of assets off-premises, belongs to the physical control group. ISO/IEC 27002:2022 organizes controls into four themes: organizational controls, people controls, physical controls, and technological controls. Controls in Clause 7 are physical controls, and Control 7.9 specifically addresses protection of organizational assets when they are outside the organization’s premises. This includes laptops, mobile devices, storage media, documents, portable equipment, and other assets used during travel, remote work, home working, customer visits, supplier sites, or field operations. Off-premises use increases physical risk because assets may be exposed to theft, loss, damage, unauthorized viewing, insecure storage, or uncontrolled environments. Although technological measures such as encryption and remote wipe may support this control, the control itself is placed in the physical theme because its focus is the secure handling and protection of assets outside controlled facilities. Option A is incorrect because organizational controls are in Clause 5. Option C is incorrect because technological controls are in Clause 8. References/Chapters: ISO/IEC 27002:2022, Clause 7 Physical controls; Control 7.9 Security of assets off-premises; Clause 4 Structure of the standard.

==========

Control 5.7, Threat intelligence, belongs to the organizational control group. ISO/IEC 27002:2022 organizes controls by clauses: Clause 5 contains organizational controls, Clause 6 contains people controls, Clause 7 contains physical controls, and Clause 8 contains technological controls. Threat intelligence is classified as organizational because it supports governance, decision-making, risk awareness, planning, prioritization, and security strategy across the organization. It involves collecting, analyzing, and using information about existing or emerging threats so the organization can reduce risk and improve controls. Threat intelligence can influence vulnerability management, incident response, monitoring, supplier risk management, awareness training, security architecture, and risk treatment plans. Although threat intelligence may use technological tools, its ISO/IEC 27002 placement is organizational because its primary purpose is to guide security decisions and readiness. Option A is incorrect because technological controls are Clause 8. Option B is incorrect because people controls are Clause 6. The verified answer is option C. References/Chapters: ISO/IEC 27002:2022, Clause 5 Organizational controls; Control 5.7 Threat intelligence; Clause 4 Structure of the standard.

==========

The purpose of Control 8.20, Network security, is to protect information in networks and supporting information processing facilities from compromise through the network. This includes protecting data in transit, network devices, network services, communication paths, routing, management interfaces, and connected systems. Network compromise can lead to unauthorized access, interception, malware propagation, denial of service, lateral movement, data exfiltration, or manipulation of traffic. Option B relates more closely to Control 8.21, Security of network services, which addresses security mechanisms, service levels, and management requirements for network services. Option C relates to Control 8.22, Segregation of networks, which specifically concerns splitting networks into security boundaries or domains. Control 8.20 is broader: it establishes the general objective of securing networks against compromise. ISO/IEC 27002 expects organizations to manage and control networks according to risk, including architecture, monitoring, authentication, encryption where needed, device hardening, and protection of network management functions. The correct answer is therefore option A. References/Chapters: ISO/IEC 27002:2022, Control 8.20 Network security; Control 8.21 Security of network services; Control 8.22 Segregation of networks.

==========

Clock synchronization can be difficult when using multiple cloud services. ISO/IEC 27002 Control 8.17 emphasizes that clocks of information processing systems should be synchronized to approved time sources. Accurate time is essential for logging, monitoring, incident investigation, transaction integrity, forensic analysis, authentication, certificate validation, and event correlation. In a simple on-premises environment, an organization may centrally manage time sources using internal NTP servers or domain services. In multi-cloud environments, systems may span different providers, regions, platforms, managed services, containers, serverless functions, and third-party logging systems. Each environment may have different time settings, time source controls, administrative access limits, time zone handling, timestamp formats, and logging precision. This makes consistent synchronization and correlation more challenging. Option A is not the best answer because “only on-premises services” are typically easier to synchronize under a single administrative model. Option C is too broad because the question asks when synchronization can be difficult, and the ISO/IEC 27002 exam logic points to multiple cloud services. References/Chapters: ISO/IEC 27002:2022, Control 8.17 Clock synchronization; Control 8.15 Logging; Control 5.23 Information security for use of cloud services.

==========