In the statement of Applicability, I can see preselected controls based on the risks.
I’m adding additional controls as well. There is a ‘justification’ box here. Is it mandatory to type why I’m adding these extra controls?
ISO 27001 requires a justification for all applicable controls (clause 6.1.3 “d”), so if you are adding controls in the Statement of Applicability you need to fill in the ‘justification’ field to be compliant with the standard.
This article will provide you a further explanation about the Statement of Applicability: