I have a requirement suppose there is a new regulation coming for an organization and need to create new control objective and also new controls in an organization. Where is the that step in the control lifecycle where control owner needs to set up/create new control for that particular control objective. Because in attestation they are only asking if the control is implemented and giving default 14 days. Implementing a new control will take longer time first time, right?
