1. A question came up in our review of Security incident management, we have the following stated in our policy, should we say “must report” or should report? Is this a legal issue, obviously this policy we would share with our customers and third parties, right?
Each employee, supplier or other third party who is in contact with information and/or systems of Levi, Ray & Shoup, Inc. or their customers must report any system weakness, incident or event which could lead to a possible incident.
2. It looks like clause 4 is missing from the packet of templates you sent, there is no 04 documents, this is strange. Our external auditors are referencing clause 4 in a finding but I really don’t see anything in the iso document itself on this.