Control mapping

Answer: Generally, people do not do something (e.g., map controls in risk treatment plan) either because they do not know that this should be done, or because they do not know how to do it. These would be your most probable causes, which can lead to the following root causes: in-existent or unclear risk assessment methodology, or a lack or inadequate training program.

These articles will provide you further explanation about documents elaboration and people training:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

These materials will also help you regarding documents elaboration and people training:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Seven key problems to avoid in ISO 27001 implementation [free webinar] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/