The Australian Signals Directorate's (ASD) assessment of whether a control is a 'must' or a 'should' is based on ASD's experience in providing cyber and information security advice and assistance to the Australian Government and reflects what ASD assesses the risk level to be.
Non-compliance with 'must' and 'must not' controls are likely to represent a high security risk to information and systems.
Non-compliance with 'should' and 'should not' controls are likely to represent a medium-to-low security risk to information and systems.
The Accreditation Authority is able to consider the justification for non-compliance and accept any associated residual security risk. Non-compliance with controls where the authority is marked 'ASD' must be granted by the Director ASD.
It is best to be compliant, however, identifying non-compliance allows you to identify, understand, know, mitigate and accept the associated risk.