Quick question about the "Justification for selection/non-selection" column:
I watched the video, and the examples say that there must always be a risk or regulatory reason, couldn't it also be a requirement of the business or ISO itself?
For example, could be A.5.1.1 a business requirement to improve market position?
A third common justification can be “Management decision”, when the management decide they consider a control to be applicable, and this decision can be based on anything they consider important, including business requirements.
If your reason is improving a market position, it would be better to write 'Management decision' instead because marketing is not directly related to security.