Justification in the SoA

1. Some of the Annex A clauses are worded as if they are mandatory; for example, 5.1.1: "A set of policies for information security shall be defined [...]". Is it acceptable to justify selection on the basis that this is a mandatory element of 27001?

 Please note that a control from ISO 2701 Annex A is mandatory only if:
- There are unacceptable risks that require the implementation of the control
- There are legal requirements that require the implementation of the control
- There is a top management decision that requires the implementation of the control

These are acceptable justifications to apply a control.

If none of the above mentioned occurs, you do not need to implement the control. What happens is that once a control is deemed as applicable, then all "shall" related items are mandatory to be implemented.
 
 This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

2. We have multiple risks associated with the same vulnerability (as expected); for example, the vulnerability “inadequate protection from unauthorized access” occurs many times. Is it acceptable to justify on the basis of 'All risks associated with “inadequate protection from unauthorized access”' rather than itemize each risk?"

This approach is not acceptable because it does not allow an easy identification of which risks are related to the applied control. In this case, you can only mention in the SoA the ID of the risks listed in the risk treatment plan. For example, "Control X is applicable because of unacceptable risks 23, 35 and 47 listed in the risk treatment plan".

This article will provide you further explanation about SoA:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/