From e67867ea076a788a6bb41cba0cae93a39725e3fa Mon Sep 17 00:00:00 2001
From: sluetze <13255307+sluetze@users.noreply.github.com>
Date: Tue, 16 Jul 2024 11:35:23 +0200
Subject: [PATCH] Defined notes and rules for BSI SYS.1.6.A1

---
 controls/bsi_sys_1_6.yml | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml
index 01a3bd86557d..e4c47bd07745 100644
--- a/controls/bsi_sys_1_6.yml
+++ b/controls/bsi_sys_1_6.yml
@@ -26,22 +26,25 @@ controls:
     levels:
     - basic
     description: >-
-      Before containers are deployed, the goal of such a deployment (e.g. scaling, availability,
+      (1) Before containers are deployed, the goal of such a deployment (e.g. scaling, availability,
       disposable containers for safety or CI/CD) SHOULD be determined so that all the security-
-      related aspects of installation, operation, and decommissioning can be planned. The planning
-      SHOULD also take into account the operational overhead resulting from container
-      deployment or mixed operation. The planning MUST be adequately documented
+      related aspects of installation, operation, and decommissioning can be planned.
+      (2) The planning SHOULD also take into account the operational overhead resulting from container
+      deployment or mixed operation.
+      (3) The planning MUST be adequately documented
     notes: >-
-      This requirement can not be checked
+      This requirement must be implemented organizationally.
+      OpenShift supports all of the goals mentioned. Comprehensive handouts are available to carry
+      out and document the planning of container use, security and compliance, architecture and
+      installation on OpenShift (see https://www.redhat.com/en/resources/openshift-security-guide-ebook)
     status: manual
-    #rules:
 
   - id: SYS.1.6.A2
     title: Container Management Planning
     levels:
     - basic
     description: >-
-      The management of containers MUST ONLY be carried out in line with appropriate planning.
+      (1) The management of containers MUST ONLY be carried out in line with appropriate planning.
       This planning MUST cover the entire lifecycle from commissioning to decommissioning,
       including operation and updates. When planning container management, it MUST be taken
       into account that the creator of a container is to be considered like an administrator due to the