I'm checking our contracts for security requirements, and find something like
"implement logical access controls to prevent unauthorized access"
"keep operating systems on all electronic devices updated"
"run malware detection software on your systems"
Are these examples too vague to be added to the the register of requirements?