ISO 27001 Surveillance Audits
Browse ISO 27001 topics
ISO 27001 Surveillance Audits
Earning your ISO 27001 certificate is a significant achievement, but it marks the beginning of an ongoing commitment rather than the end of a project. The certification cycle spans three years, during which your certification body conducts surveillance audits to verify that your ISMS continues to meet the standard's requirements. Understanding what these audits involve and how to prepare for them is essential to maintaining your certification.
The Three-Year Certification Cycle
ISO 27001 certification follows a predictable three-year rhythm:
- Year 0: Initial certification audit (Stage 1 and Stage 2). See the certification process guide for details.
- Year 1: First surveillance audit.
- Year 2: Second surveillance audit.
- Year 3: Recertification audit (full reassessment).
After recertification, the cycle repeats. The certificate issued at initial certification and at recertification is valid for three years, contingent on successful surveillance audits in the intervening years.
If a surveillance audit reveals significant issues that are not resolved, the certification body can suspend or withdraw your certificate.
What Is a Surveillance Audit?
A surveillance audit is a smaller-scale audit conducted by your certification body to confirm that your ISMS is still operating effectively and in conformity with ISO 27001. Unlike the initial certification audit, surveillance audits do not assess every control and every clause. Instead, they sample specific areas while always covering certain mandatory elements.
Mandatory Elements
Every surveillance audit must assess:
- Internal audit results. The certification body reviews whether you have conducted internal audits as planned and whether findings have been addressed.
- Management review results. Evidence that top management has reviewed the ISMS and taken action on its outputs.
- Corrective actions. Status of any nonconformities raised in previous audits (both internal and external).
- Handling of complaints. How complaints related to information security have been managed.
- ISMS effectiveness. Whether the ISMS is achieving its intended outcomes and objectives.
- Progress on planned improvements. Actions identified in previous reviews or audits that were planned for implementation.
- Use of marks and references to certification. That the organization is using its certification status accurately and in accordance with the CB's rules.
Sampled Elements
In addition to the mandatory elements, the auditor selects a sample of Annex A controls and ISMS processes to verify. The sampling is designed so that, across the two surveillance audits in a cycle, all significant areas of the ISMS are assessed at least once.
The auditor may choose areas based on:
- Results of the previous audit
- Known changes to the organization or its environment
- Areas that were not covered in recent audits
- Specific risk areas or controls that are inherently complex
How Surveillance Audits Differ from Certification Audits
| Aspect | Certification Audit | Surveillance Audit |
|---|---|---|
| Scope | Full ISMS | Sampled subset plus mandatory elements |
| Duration | 3-10 audit days | 1-3 audit days typically |
| Frequency | Every 3 years | Annually (years 1 and 2) |
| Output | Certification decision | Continued certification or findings |
| Stage 1 required | Yes | No |
Surveillance audits are shorter and less comprehensive, but they are not less serious. A major nonconformity found during surveillance carries the same weight as one found during initial certification and must be resolved within an agreed timeframe, usually 90 days, or the certificate may be suspended.
Preparing for Surveillance Audits
The best preparation strategy is to maintain your ISMS as a living system rather than treating it as a certification artifact that gets dusted off before each audit. Here is what that looks like in practice.
Keep the Risk Register Current
Your risk register should reflect current risks, not the risks that existed when you were first certified. Review and update it at planned intervals and whenever significant changes occur. Auditors will check that recent organizational or environmental changes have been reflected in your risk assessments.
Conduct Internal Audits on Schedule
Plan your internal audit program to cover the full ISMS over the course of the three-year cycle. Ensure audits are actually conducted according to the plan, findings are documented, and corrective actions are tracked to closure. A common surveillance audit finding is that internal audits were not performed as planned.
Hold Management Reviews
Management reviews must happen at the frequency defined in your ISMS. Document the agenda, attendees, inputs reviewed, decisions made, and actions assigned. Auditors will ask to see management review records and will verify that actions from previous reviews have been completed.
Update the Statement of Applicability
If your control landscape has changed since the last audit (new controls implemented, controls modified, or controls that are no longer relevant), your Statement of Applicability should reflect those changes. A stale SoA that does not match your actual control environment is a red flag.
Track and Close Nonconformities
Any nonconformities from previous audits (internal or external) must have documented corrective actions. Auditors will verify that corrective actions were implemented, that root causes were addressed, and that the corrective actions were effective. Simply implementing a fix without confirming its effectiveness is a common gap.
Maintain Evidence
Controls need ongoing evidence of operation. Access reviews should have records, training should have attendance logs, incidents should have response records, and backups should have test results. If the evidence trail goes cold between audits, it suggests the controls are not consistently operating.
Document Changes
Changes to the organization's structure, technology, processes, or external environment should be documented along with any impact assessment on the ISMS. Significant changes that were not reflected in updated risk assessments or control implementations are a frequent source of audit findings.
The Recertification Audit
In year three of the certification cycle, a full recertification audit replaces the surveillance audit. Recertification is essentially a repeat of the initial certification audit, though auditors will have the benefit of two years of surveillance audit history.
The recertification audit:
- Covers the entire ISMS scope
- Reassesses all clauses (4-10) and a comprehensive sample of Annex A controls
- Evaluates the overall effectiveness and maturity of the ISMS over the previous cycle
- Results in a new three-year certificate if successful
Recertification audits are longer than surveillance audits but typically shorter than the initial certification because the auditor already has a baseline understanding of the organization. Plan for roughly two-thirds of the initial audit duration.
It is critical to schedule recertification before your current certificate expires. If the certificate lapses, you may need to go through the full initial certification process again, including Stage 1.
What Happens If You Fail
If a surveillance or recertification audit reveals a major nonconformity:
- Corrective action period. You are given a defined window (typically 90 days) to implement corrective action and provide evidence of resolution.
- Verification. The auditor verifies the corrective action, either through documentation review or a follow-up visit.
- Suspension. If corrective action is not satisfactorily completed, the CB may suspend your certificate. Suspension means you cannot claim certification until the issue is resolved.
- Withdrawal. If suspension is not resolved within a defined period (typically six months), the certificate is withdrawn entirely.
Minor nonconformities follow a similar process but are less likely to result in suspension if addressed promptly.
Common Surveillance Audit Findings
Based on typical audit outcomes, the most frequent findings include:
- Incomplete internal audit coverage. The internal audit program did not cover all planned areas.
- Overdue corrective actions. Nonconformities from previous audits remain open past their target dates.
- Outdated risk assessments. The risk register has not been updated to reflect organizational or environmental changes.
- Missing management review records. Management reviews were not conducted or were insufficiently documented.
- Evidence gaps. Controls are documented in the SoA but evidence of ongoing operation is insufficient.
- Awareness shortfalls. New employees have not received information security awareness training.
- Change management gaps. Significant changes to systems or processes were not assessed for security impact.
Staying Audit-Ready Year-Round
The organizations that find surveillance audits painless are the ones that operate their ISMS continuously rather than in audit preparation sprints. Key practices include:
- Monthly or quarterly control reviews where control owners verify their controls are operating and evidence is current.
- Integrated processes where security reviews are embedded into change management, project management, and vendor management rather than running as separate tracks.
- Automated evidence collection that captures control operation artifacts without manual effort.
- Dashboard visibility so management and ISMS owners can see the current state of compliance at any time.
Tools like episki keep your risk register, SoA, control evidence, and review schedules connected and current, making surveillance audits a verification of ongoing practice rather than a scramble to reconstruct twelve months of activity. Explore the full ISO 27001 framework to understand how surveillance fits into the broader compliance lifecycle.
