Hey Jason, 

My thoughts on this: As we are in the Draft and Review state, we are creating the policy and by relating the control objectives, we are specifying, which specific controls derive from the respective policy. 

The goal is to get the Policy, with all related control objectives acknowledged by the according audience. 

By restricting the addition of Control Objectives to the Policy after publishing it, we make sure that the audience acknowledges a pre-defined package of Controls to ideally comply with, if not possible a policy exception can be raised. 

If we were to add control objectives after the policy being published, we would have to send an additional acknowledgement for that specific addition, which is not very effective.

There could be other valid reasons, but this is one of the main ones that comes to my mind. 

Hi  @Jason yeon , in my mind the key reason has always been from the policy owner point of view: I own the policy from A to Z. Once a policy is published, even an admin cannot change one comma OOTB. If people could add or remove COs to a policy, a policy owner would miss control over what the policy contains and how it is attested. 

Another point is that once published a policy is oftentimes transferred to a KB article with a revision number - including the list of COs (if using the KB template). That KB article content would suddenly differ from the Policy, which is not good wrt document control.

Hello: I have an analyst who wants to be able to assign control objectives to a published policy.  Is there any way to accomplish this?