Hi everyone, My company recently completed our first certification audit. We were advised to do the STEEPLE Analysis in determining clause 4.1. Here's just a glance at what we did... Our approach was to have process maps to address 4.4 and 6.1 by highlighting the risks associated with each process and document the data in a Risk Register for monitoring but the STEEPLE is done based on the overall company. My question is how do I now link the two in showing that we are addressing both overall and process risk? Considering that the standard hinges on 0.3.3 Risk Based thinking.