diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml
index dfb94bc4768..3ebd9a45d30 100644
--- a/controls/bsi_app_4_4.yml
+++ b/controls/bsi_app_4_4.yml
@@ -55,29 +55,28 @@ controls:
     levels:
     - basic
     description: >-
-      Kubernetes and all other control plane applications MUST authenticate and authorise each
+      (1) Kubernetes and all other control plane applications MUST authenticate and authorise each
       action taken by a user or, in automated mode, corresponding software. This applies whether
-      the actions are taken via a client, a web interface, or a corresponding API. Administrative
+      the actions are taken via a client, a web interface, or a corresponding API. (2) Administrative
       actions MUST NOT be performed anonymously.
-      Each user MUST ONLY be granted the permissions they absolutely require. Unlimited access
+      (3) Each user MUST ONLY be granted the permissions they absolutely require. (4) Unlimited access
       rights MUST be granted in a very restrictive manner.
-      Only a small group of people SHOULD be authorised to define automation processes. Only
+      (5) Only a small group of people SHOULD be authorised to define automation processes. (6) Only
       selected administrators SHOULD be given the right to create or change shares for persistent
       volumes in Kubernetes.
     notes: >-
       Requirements are quite vague,
     status: partial
     rules:
-      # Sentence 1-2
+      # Section 1
       - api_server_anonymous_auth
-      # Sentence 3
       - kubelet_anonymous_auth
-      # Sentence 3,5
+      # Section 2
       - kubeadmin_removed
-      # Sentence 4
+      # Section 3-5
       - rbac_least_privilege
       - rbac_limit_cluster_admin
-      # Sentence 6 is manual
+      # Section 6 is manual
 
   - id: APP.4.4.A4
     title: Separation of Pods