I have a query regarding preparing the SOA on control objectives and controls. We have 114 controls in the Annexure A coming under different sections. Is that mandatory for us to implement controls for each of the items in different sections. Or can we categorize them as the mandatory ones and non-mandatory ones required to get certified? Also how can I document/convince the auditor on why a control is not required for us?
It is not mandatory to implement all 114 controls of Annex A of ISO 27001:2013, you only need to implement those that you need to reduce risks identified during the risk assessment (or those that are related to law, contractual requirements, etc.). In the SOA you need to include the list of controls that apply to your business (in the same order that you can see them in the standard).
Regarding the justification for the auditor, you simply need to show to the auditor that you apply and implement only those controls that you need to reduce risks (or those that are related to law, contractual requirements, etc .)