There is a potential need to deconstruct “something” within your organization to comply with some standards. It could be a manual – or automatic procedure, soft- or hardware, privacy-sensitive data, the actual organization itself… The list goes on.
The “if it isn’t broken, don’t fix it” adage doesn’t always apply. Before extending certain certifications, the issuer wants the requester to deliberately break stuff or even fake malicious attacks.
If it isn’t broken yet, at least think about what it would require to break it, how it can be avoided, and how it can be resolved.