Questions on security incident and clause 4
1. A question came up in our review of Security incident management, we have the following stated in our policy, should we say “must report” or should report? Is this a legal issue, obviously this policy we would share with our customers and third parties, right?
Each employee, supplier or other third party who is in contact with information and/or systems of Levi, Ray & Shoup, Inc. or their customers must report any system weakness, incident or event which could lead to a possible incident.
2. It looks like clause 4 is missing from the packet of templates you sent, there is no 04 documents, this is strange. Our external auditors are referencing clause 4 in a finding but I really don’t see anything in the iso document itself on this.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. A question came up in our review of Security incident management, we have the following stated in our policy, should we say “must report” or should report? Is this a legal issue, obviously this policy we would share with our customers and third parties, right?
Each employee, supplier or other third party who is in contact with information and/or systems of Levi, Ray & Shoup, Inc. or their customers must report any system weakness, incident or event which could lead to a possible incident.
In the ISO world, mandatory requirements/documents are related to the words “must” or “shall”, while non-mandatory requirements/documents are related to the words “may” or “should”.
Considering that, the proper wording is “must report” because by using "should report" the person is not obliged to do so.
Sharing this policy is a legal issue only if you have a law, regulation, or contract, demanding this policy to be shared. If there is no such requirement, you have two options: share the whole policy or only the specifics related to customers and third parties.
2. It looks like clause 4 is missing from the packet of templates you sent, there is no 04 documents, this is strange. Our external auditors are referencing clause 4 in a finding but I really don’t see anything in the iso document itself on this.
Please note that for clause 4 from ISO 27001 the single required document is the ISMS scope, which is located on folder 03 ISMS Scope Document. ISO 27001 does not require documenting the context of the organization, so in our understanding, considering the provided information, this issue is at most an opportunity for improvement, not a non-conformity.
Documenting the context of the organization is especially not recommended for smaller organizations - you only need to take into the context of the organization when defining the scope and doing the risk assessment, so that's why we do not include a document about the organizational context in the toolkit.
You should contact your auditor to better understand his/her point of view about the added value of explicitly defining the organizational context, so you can evaluate if this is worthy for your organization.
Comment as guest or Sign in
Jul 20, 2020