(Sorry for English, Russian still not supported by Swype for Spica and I was fool enough to try an official version :)
Sometimes I think those ISO guys have some sense of humour.
In some organizations work habits or the main business have led to a specific "culture" within the organization, one which may be incompatible with the security controls.
Yeah, so true. In fact I saw few such companies. Or wait, I rather saw few dozens of them.
Vulnerability type: Organization
Vulnerability example (this means an exploitable weakness): Lack of proper allocation of information security responsibilities
Threat example (this means an evil that might exploit the vulnerability): Denial of actions.
BINGO!! Wan't do a shit unless it's in my job description :)
I don't like reading standards, but these points add some fun to it.