1. In some cases the controls are very similar and I could see that they are applicable to the same risk, e.g. control A.15.1.1 and A.15.1.2. Let us say that we only choose to apply one of them in order to not make it look as if we have a lot of risks (and besides that the control is not applicable to any other risk), would there be a way how we could justify this in the Statement Applicability?
Answer: First it is important to note that the number of applied controls does not have a direct correlation with the number of treated risks. You can have scenarios with many risks treated by few controls, as well as scenarios with few risks treated by a large number of controls. This all depends of organization context, legal requirements to be fulfilled and business objectives.
Considering that, to justify that a control is not applicable you should verify first if there are no unacceptable risks that justify the implementation of the control, or that there are no legal requirements demanding the implementation of the control. If both situa tions occur you can state that a control is not applicable on SoA.
2. Controls of A.16 and A.17: These controls can be applicable to each risk more or less, since you should document each disaster and aside of that it's important that your business still runs after a disaster. Is it okay to write at each control of A.16 that there is a legal requirement (GDPR) that enforces us to do so? As for the controls of A.17 is it okay to write that this is a management decision? (In this case we would basically not link them to any specific risk.)
Answer: Both justifications you presented for applying the controls you mentioned are valid (demanded by a legal requirement or by a top management decision).