...
Most organisations will chose Annex A as their normal set of controls, with additional controls chosen for particular business requirements.
Presentation / A framework for linking controls to risk
ISO/IEC 27001:2013 Annex A can be overwhelming both ourselves as information security practitioners but also to our colleagues. It can appear to be a very technical and bureaucratic listing of things that must be done with no relationship with the organisation's objectives, activities, and activitiesrisks. You should think about how you present controls within your organisation.A framework for linking controls to risk
Effectiveness
Your selection of controls must be practical for your organisation and staff to implement and understand, otherwise they will not be effective. You should think about how you will monitor and measure the controls as set out in section 9 of the standard.
...