Control sets
You will need to make a decision on what set of controls is most appropriate to use within your organisation. From this set of controls, you will select those controls necessary to control risks, and meet internal and external requirements. Sets of controls include:
...
ISO/IEC 27001:2013 allows you to select controls from any source, but you must justify the exclusion of any controls from Annex A which you have chosen not to implement. , to ensure that no necessary controls are overlooked.
Most organisations will chose Annex A as their normal set of controls, with additional controls chosen for particular business requirements.
...