Regarding Software Assets, we have identified a risk that if the passwords/keys for the software are misplaced we no longer be able to use that asset.
The control we have implemented is to store all such passwords/keys in a password safe.
My question is which document should this control be recorded in?
The “Password Policy” document seems to be focused solely on user passwords, not software/keys.
I’m assuming you want to know where to record the information about where passwords/keys are stored.
Considering that, please note that the Password policy has an item which defines that “files containing passwords must be stored separately from the application's system data”.
Since the Password policy does not have a section for record management, I suggest you use Access Control Policy for this purpose.
This Access control policy Integrates the use of the Password Policy in section 3.8, and from this section you can include in its section 4 - Managing records kept on the basis of this document, a record describing how you implement this storage.