diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml
index bf3d3da777e8..7e9935e5253a 100644
--- a/controls/bsi_app_4_4.yml
+++ b/controls/bsi_app_4_4.yml
@@ -150,8 +150,19 @@ controls:
       manner. Read and write access rights to the configuration files of the control plane SHOULD
       be assigned and restricted with particular care.
     notes: >-
-      TBD
-    status: pending
+      This control needs to be adressed on an organizational level and in external systems.
+
+      OpenShift is fully configured using Kubernetes resources including CustomResources (CR). All 
+      resources that are created after the initial cluster installation can be considered configuration
+      files as described in this control. The relevant Kubernetes resources for configuring the control 
+      plane are protected by Kubernetes RBAC and can only be modified by cluster administrators.
+
+      To achieve versioning, the configuration files should be stored in a Git repository.
+      The Git repository is considered the only source of truth and provides a visible and auditable
+      trail of changes. To automatically apply the configuration, GitOps processes and tools like
+      OpenShift GitOps can be used. Access rights to the Git repository and GitOps controller should
+      be granted in a restrictive manner.
+    status: manual
     rules: []
 
   - id: APP.4.4.A9