A.18.1.1 is good to go (just reference the policy and note that due to sensitivity and attorney client privildge, the policy was retained)
To satisfy the control, is it enough for an organization to just state that they identify & manage the relevant legislative statutory, regulatory, contractual requirements in their information security policy document? I am trying to understand if other evidence like a separate defined list of laws or at least an email from their legal department is absolutely necessary to fulfill it. For context, what if the organization has stated that "due to sensitivity and attorney client privildge" they would not share anything more than that first statement to reference? Thank you.