I think your IA is referring to the testing of the controls, processes and procedures of your ISP. While the Risk Assessment provides insight of where and with what concentration risk lies, the testing facet subjectively challenges the controls for ensuring InfoSec.
Possible testing relating to administrative controls:
check disposal of sensitive paper, cust info stored properly, incident response escalation testing,
Possible testing relating to technical controls:
penetration testing, internal/external threat analysis, password guessing, intruder detection lock-out, electronic sec certificate validation, etc.
Possible testing relating to physical controls:
checking locked doors, restricted area admission logging, anti-static precautions, off-site tape security transit/storage/rotation, etc.
-g