Skip to content
360 Cyber Compliance

ISO 27001 · 1 July 2026

ISO 27001 surveillance audits: keeping your certification

Achieving ISO/IEC 27001:2022 certification is a milestone, not a finish line. To keep your certificate valid, your ISMS is checked each year through surveillance audits, with a full recertification every three years. This guide explains how that cycle works and how to stay comfortably audit-ready.

The three-year certification cycle

Certification runs on a rolling three-year cycle:

YearAudit
Year 0Initial certification — Stage 1 and Stage 2 audits
Year 1First surveillance audit
Year 2Second surveillance audit
Year 3Recertification audit (full reassessment)

The certificate is typically valid for three years, but that validity depends on passing the surveillance audits in between. Miss or fail them and the certificate can be suspended or withdrawn.

What a surveillance audit is

A surveillance audit is a lighter-touch check than the full Stage 2 assessment. Rather than re-examining everything, the auditor samples parts of your ISMS to confirm it’s still operating effectively and continually improving. Surveillance audits are usually annual, though some certification bodies schedule them more frequently for larger or higher-risk organisations.

What auditors focus on during surveillance

While the exact scope varies, surveillance audits commonly review:

  • Internal audits — that you’ve completed your planned internal audit programme.
  • Management review — that leadership has reviewed the ISMS at least once in the period.
  • Corrective actions — that findings from previous audits (internal or external) have been closed out.
  • Risk assessment and treatment — that these have been kept current as things change.
  • Incidents — how any security incidents were handled and what was learned.
  • Changes — new systems, suppliers, staff or scope changes since the last audit.
  • A sample of Annex A controls — evidence that selected controls from your Statement of Applicability are still working.

Certain mandatory elements — internal audit, management review and the handling of nonconformities — are typically checked at every surveillance audit, because they show the ISMS is genuinely alive.

Recertification: the year-three reassessment

Every three years, recertification takes the place of a surveillance audit. It’s a more comprehensive reassessment, closer in depth to the original Stage 2, confirming your ISMS remains effective and suitable for a further three-year certificate. It’s a natural point to review your scope, refresh your risk assessment and make sure your documentation still reflects how you actually work.

Staying audit-ready between visits

The organisations that find surveillance audits painless treat their ISMS as business as usual rather than an annual scramble. Practical habits help:

  1. Run your internal audit programme steadily through the year, not all at once before the auditor arrives.
  2. Hold your management review and keep minutes and actions.
  3. Close corrective actions promptly and keep the evidence.
  4. Update your risk assessment and SoA whenever something significant changes.
  5. Keep evidence flowing — logs, training records, incident records and reviews — so it’s ready when asked for.
  6. Log and learn from incidents, however minor.

A short internal readiness check a few weeks before each surveillance audit usually surfaces anything that needs tidying.

What happens if findings are raised

Surveillance audits can raise nonconformities just like the initial audit. Minor findings typically require a corrective action plan within an agreed timescale; major findings need prompt resolution to keep the certificate in good standing. Responding with clear root cause analysis and effective corrective action demonstrates that your continual improvement process works — which is exactly what the standard is looking for.

Common surveillance pitfalls

  • Letting the ISMS go quiet after certification, then rushing before the audit.
  • Skipping the annual management review or internal audits.
  • Leaving previous findings open with no evidence of resolution.
  • Not updating the risk assessment and SoA after changes.
  • Losing track of evidence, so controls can’t be demonstrated.

If any terminology is unfamiliar, our glossary explains the key terms in plain English.

How we can help

Maintaining certification year after year is much easier with a steady rhythm and the right support. We provide practical help throughout the certification lifecycle — from running internal audits and facilitating management reviews to keeping your documentation and evidence current for each surveillance visit — as part of a transparent, fixed-fee engagement with a clear delivery process. Our free ISO 27001 gap assessment tool is a handy way to sense-check your ongoing readiness.

Learn more about our ISO 27001 service or get in touch to keep your certification on track.

Need help in practice? See our ISO 27001 service.

Need a hand with this?

Book a free, no-obligation readiness check.