I've a question about SoA and A.16 controls. I can't justify the implementation of A.16 controls linking them to a specific risk. I think that the implementation of all A.16 controls is related to all risks, because we can use the lessons learned in incidents treatment to reduce the impact or probability of any incident in the future (which could be related to any risk).
Would it be acceptable justify the implementation of all A.16 controls using "All risks" instead of a specific risk?
Basically, you are right - Incident management as described in section A.16 is applicable because of any risk that you have. You could have some exceptions to that rule - e.g. A.16.1.7 Collection of evidence might be applicable to only some types of incidents; however in general for each control you can say that the reason for their applicability is all the risks that you identified.