What is a Surveillance Audit?
What is a Surveillance Audit?
A surveillance audit is a periodic assessment conducted by a certification body to verify that a certified organization's management system continues to operate in accordance with the standard requirements. In the context of ISO 27001, surveillance audits occur annually between the initial certification and the three-year recertification cycle.
Purpose of surveillance audits
Surveillance audits serve several important purposes:
- Ongoing assurance — confirm that the ISMS has not degraded since the initial certification or last audit
- Continuous improvement verification — check that the organization is actively improving its ISMS rather than letting it stagnate
- Change assessment — evaluate how changes to the organization, its services, or its risk environment have been addressed
- Corrective action follow-up — verify that nonconformities identified in previous audits have been resolved
- Stakeholder confidence — maintain trust among customers, partners, and regulators that the certification remains valid
Surveillance audit schedule
ISO 27001 certification follows a three-year cycle:
- Year 0 — initial certification audit (Stage 1 and Stage 2)
- Year 1 — first surveillance audit
- Year 2 — second surveillance audit
- Year 3 — recertification audit (full audit to renew the certificate for another three years)
Surveillance audits are typically scheduled around the anniversary of the initial certification. Missing or failing a surveillance audit can result in suspension or withdrawal of the certificate.
Scope of surveillance audits
Surveillance audits do not cover the entire ISMS in the same depth as the initial certification. Instead, the certification body samples a subset of controls and processes. However, certain elements are always reviewed:
- Internal audit results — evidence that the organization is conducting its own internal audits
- Management review — records showing that management regularly reviews ISMS performance
- Corrective actions — status of previously identified nonconformities
- Use of the certification mark — verification that the organization uses the ISO 27001 mark correctly
- Changes to the ISMS — assessment of any significant changes since the last audit
The certification body plans the surveillance audits to ensure that, across the three-year cycle, all significant areas of the ISMS are examined.
Preparing for a surveillance audit
To prepare effectively:
- Maintain your ISMS — do not treat certification as a one-time achievement; keep controls operating and evidence current
- Conduct internal audits — perform regular internal audits and document findings and corrective actions
- Hold management reviews — ensure management reviews occur at planned intervals with documented outcomes
- Track corrective actions — close out any nonconformities from previous audits with evidence of resolution
- Update documentation — keep policies, procedures, the risk register, and Statement of Applicability current
- Brief your team — ensure control owners understand the surveillance process and can speak to their controls
Common pitfalls
Organizations frequently encounter issues during surveillance audits due to:
- Letting the ISMS become dormant between audits
- Failing to conduct internal audits or management reviews
- Not updating the risk assessment after significant changes
- Incomplete corrective action records
- Documentation that does not reflect current practices
What happens if you fail
If the certification body identifies major nonconformities during a surveillance audit, the organization typically receives a defined period to resolve them. If nonconformities are not resolved, the CB may suspend or withdraw the certification.
How episki helps
episki keeps your ISMS active year-round with automated evidence collection, internal audit tracking, and management review workflows. The platform ensures you are always surveillance-audit-ready rather than scrambling to prepare. Learn more on our ISO 27001 compliance page.
