Hi, I am struggling to understand the concept and information you would document to satisfy the A12.1.1. Documented operating procedures control. Everything that we have identified in the risk assessment and included in the SoA is going to be documented witin the releveant procedural docs that we create. I really don't understand what is the relevance of aforementioned control
The purpose of control A.12.1.1 is to make it clear that all structured activities for any control from section A.12 need to be documented.
To use example of control A.12.1.2 (Change management) - if you have any kind of established process for managing changes for your operational systems, then you must document them (e.g. in the form of a procedure) because of control A.12.1.1; if you have only some unstructured activities for A.12.1.2, then you do not need to document them.
So i this case is it ok to just say yes in the SOA, because i will havesome documented procedures, and for justification I will namethe procedures in the SoA? no need to wite a more specific doc regarding 12.1.1?
As always thank you, you guys are the best and templates very helpful