Annex A 7.1 of ISO/IEC 27001 : 2022 is a control that requires an organization to define and implement security perimeters and use them to protect areas that contain information and other associated assets.
Information and information security assets can include data, infrastructure, software, hardware, and personnel. The main purpose of this control is to prevent unauthorized physical access, damage, and interference to these assets, which could compromise the confidentiality, integrity, and availability of the information. Physical security perimeters can include fences, walls, gates, locks, alarms, cameras, and other barriers or devices that restrict or monitor access to the facility or area. The organization should also consider the environmental and fire protection of the assets, as well as the disposal of any waste or media that could contain sensitive information.
References:
* ISO/IEC 27001 : 2022 Lead Implementer Study Guide, Section 5.3.1.7, page 101
* ISO/IEC 27001 : 2022 Lead Implementer Info Kit, page 17
* ISO/IEC 27002 : 2022, Control 7.1 - Physical Security Perimeters123

According to ISO/IEC 27001:2022, clause 6.1.3, the Statement of Applicability (SoA) is a document that identifies the controls that are applicable to the organization's ISMS and explains why they are selected or not.
The SoA is based on the results of the risk assessment and risk treatment, which are the previous steps in the risk management process. Therefore, the justification for the exclusion of a control should be based on the risk assessment results and the risk treatment plan, and should reflect the purpose and objective of the control.
Control 5.18 of ISO/IEC 27001:2022 is about access rights to information and other associated assets, which should be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control. The purpose of this control is to prevent unauthorized access to, modification of, and destruction of information assets. Therefore, the justification for the exclusion of this control should explain why the organization does not need to implement this control to protect its information assets from unauthorized access.
The justification given by the organization in the question is not acceptable, because it does not reflect the purpose of control 5.18. An access control reader at the main entrance of the building is a physical security measure, which is related to control 5.15 of ISO/IEC 27001:2022, not control 5.18. Control 5.18 is about logical access rights to information systems and services, which are not addressed by the access control reader.
Therefore, the organization should either provide a valid justification for the exclusion of control 5.18, or include it in the SoA and implement it according to the risk assessment and risk treatment results.
References: ISO/IEC 27001:2022, clause 6.1.3, control 5.18; PECB ISO/IEC 27001 Lead Implementer Course, Module 5, slide 18, Module 6, slide 10.

Confidentiality of information is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes. In other words, confidentiality ensures that only those who are authorized to access the information can do so. In the scenario, the confidentiality of information was compromised when the software company modified some files that contained sensitive information related to HealthGenic's patients. This modification resulted in the invasion of patients' privacy, which means that their personal and medical information was exposed to unauthorized parties. Therefore, the correct answer is B.
References: : ISO/IEC 27001:2013, Information technology - Security techniques - Information security management systems - Requirements, clause 3.14.