Control performance evaluation

Answer: First of all, the expression "there is no risk" is kind of incorrect (there is no situation risk-free). A more appropriate expression would be "all current risks are acceptable."

That said, to state 'sufficiency of controls' a company should identify which controls are applied to each identified risk and how these controls are being measured and evaluated to ensure they are sufficient. Based on that information an auditor can look for evidences of compliance. As for the identification of the most important control to ensure sufficiency, besides the identified risk you should consider the security requirements and objectives established to built a checklist of what to look for. Seasoned auditors can rely on their experience t o quickly identify them.

These articles will provide you further explanation about risk management and audits:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

These materials will also help you regarding risk management and audits:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/