Answer: Basically you have to put the reason why the control is applicable or not to your organization.
To justify the application of a control you can state it is applicable because:
- of the results of risk assessment (e.g., applicable because the risk number xxxx);
- it should comply with a legal requirement (e.g., applicable to ensure compliance with law, industry regulation or contract);
- of a top management decision
In general the justification to not apply a control is related to the fact that there is not unacceptable risk related to that control, or that Top Management has accepted the risk as it is.