Justification in SoA

What the justification in SoA should be like? is it to rephrase the "Controls" in the standard Annex A?" and "What else should include in the SoA
 

Answer:

The justification depends on the source of each control. During the risk treatment you need to identify controls that are necessary to decrease risks, but you also identify controls that are required because of other reasons: Law, contractual requirements, or because of other processes. So, the justification could be: “Implemented by contractual requirements”, or “Implemented for decrease risks related to…” or also “This control is not implemented because the organization does not have teleworking” if the control is not implemented.
Generally the original definition of each control of Annex A is enough (all controls were developed by experts of all world), so from my point of view you can maintain the original control, and if you want, include some actions or controls more (you can also use controls of others sources, for example PCI-DSS).
The most important is the applicability a nd the justification of each control, but as a best practice you can include also a field for the implementation method (how you have implemented each control).
For more information about the SoA, you can read this article “The importance of Statement of Applicability” : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
And also you can see a free version of our template about the SoA clicking on “Free Demo” tab here : https://advisera.com/27001academy/documentation/statement-of-applicability/