We are working on completing the SoA and are a bit confused on how best to fill in the implementation method and status. In a number of cases, we have a current method in place to address a control but we don't consider that method to be fully adequate as a control. So we plan in the near future to develop a more extensive control.
For example, for A.9.4.3 Password Management System, we typically use LastPass to store and when necessary share passwords. We do not have a formal Access Control Policy but we plan to develop one in the coming months.
So in a case like this, what should we include in the Implementation Method and Status columns? Should Status reflect that we recognize the current implementation needs to be improved?
In this particular case you should write that the implementation method is "Installation of LastPass and writing the Access Control Policy", and your current status would be "Partially implemented." Of course, after you write your Access Control Policy, you would change the status to "Implemented."