1. Regarding the Statement of Applicability: I've did some research and what I've seen is that I don't have to write policies / procedures for each risk. What I could also do is accept risks, avoid risks or share the risks with third parties (in this case insurers or suppliers). In that case I assume I'd have to say that it isn't applicable in the Statement of Applicability, but what do I write at the selection for non-justification tab?
Answer: First it is important to note that SoA is about applicability of controls. Policies and procedures are examples of methods to be used to implement controls, considered applicable because of unacceptable risks, legal requirements or top management decisions. It is also true that you can simply use one phrase on SoA to explain how a control will be implemented, and not develop a more complex document.
Considering that, if a control is considered not applicable, an example of good justification is "there are no unacceptable risks or legal requirements which require the implementation of this cont rol".
2. Measurement Report: evaluation frequency (which evaluation frequency is recommended?)
Answer: There is no "standard" evaluation frequency that can be defined, because there are many many variables to be considered: level of risk involved, measurement complexity, time to process data, etc. This definition should be made on a case by case basis.
3. A.11.2.5: Do employees really need written permission?
Answer: The proper term here would be "recorded" permission, which could be either written or included on a computerized information system. The point here is that you must preserve evidences that an authorization was given, so it can be traceable for operational or audit purposes in case of need.
4. A.14: Does a webhosting company (which isn't developing software) have to comply with any of the controls in this chapter at all? I'm really stuck here.
Answer: If an organization does not have a software development process, the only other reason to consider some of controls from section A.14 is when performing system acquisition (e.g. buying a third-party CRM), mainly those related tor definition of security requirements and system acceptance.