Teams often treat ISO 27001 certification as a finish line - pass the audit, frame the certificate, move on. But the certificate is the beginning of an ongoing commitment. The standard is built around continual improvement, and the certification body checks that you are living up to it through annual surveillance audits. An ISMS that goes quiet after certification is exactly what surveillance audits are designed to catch.
This guide explains the surveillance audit: where it sits in the cycle, what it examines, what trips organisations up, and how to walk in prepared. If you have not yet certified, start with our Stage 1 vs Stage 2 guide and the certification timeline.
1. The Three-Year Cycle
ISO 27001 certificates run on a three-year cycle, with checkpoints each year:
Certification audit (Stage 1 + Stage 2)
The full initial assessment. Stage 1 reviews documentation and readiness; Stage 2 examines the entire ISMS in operation. Passing it issues the certificate.
First surveillance audit
A lighter check confirming the ISMS is still operating and improving. Samples a subset of controls plus the mandatory always-checked areas.
Second surveillance audit
Same structure as year one, typically sampling a different subset of controls so the whole ISMS is covered across the cycle.
Recertification audit
A fuller assessment, similar in depth to the original certification, that renews the certificate for another three-year cycle.
So between the two bookend audits (certification and recertification), the surveillance audits in years one and two keep the certificate valid and confirm the system is alive.
2. What Surveillance Actually Checks
A surveillance audit is narrower and shorter than the certification audit. Rather than examining the whole ISMS, it does two things: it samples a rotating subset of Annex A controls, and it always checks a defined set of mandatory areas (covered next). The sampling means that across the three-year cycle, the full control set gets examined - just not all at once each year.
Crucially, surveillance audits look hardest at the management system rather than just the technical controls - because a lapsed management system is the clearest sign that certification was a one-off effort rather than an operating discipline.
3. The Always-Checked Areas
Regardless of which controls get sampled, every surveillance audit checks these:
โ Closure of prior nonconformities
Any findings from the last audit must be closed with evidence. This is the first thing an auditor verifies - unclosed prior findings are a serious red flag.
โ Internal audit programme
That you ran internal audits on schedule and acted on the results. A dormant internal audit programme is one of the most common findings.
โ Management review
Records showing leadership reviewed the ISMS at planned intervals, considering performance, risks, and improvement.
โ Corrective action & continual improvement
Evidence that issues lead to corrective action and that the ISMS is genuinely improving over time.
โ Incidents & complaints
How security incidents and any complaints were handled since the last audit.
โ Changes to scope, structure, or risk
That significant changes - new systems, acquisitions, restructures, new risks - were reflected in the risk assessment, Statement of Applicability, and scope.
โ Use of the certification mark
That you have used the certification body's logo and your certified status correctly in marketing and communications.
4. The Most Common Findings
Surveillance findings cluster around a predictable set of lapses - almost all of them symptoms of an ISMS that slowed down after certification:
- Internal audits not done. The single most common finding. The programme lapses once the pressure of certification is gone.
- Management reviews skipped. Leadership stops convening the review once the certificate is in hand.
- Access reviews not performed. Periodic access recertification falls off the calendar.
- Risk assessment gone stale. New systems and changes never reflected in the risk register or SoA.
- Prior nonconformities not closed. Findings from the last audit left open or closed without real evidence.
- Evidence gaps. Controls operating, but the records to prove it not retained.
Nearly every surveillance finding traces back to the ISMS going dormant after certification. The organisations that sail through are the ones that kept the cadence - internal audits, management reviews, access reviews, risk updates - running all year as routine, not as audit-season theatre.
5. How to Prepare
The real preparation is keeping the ISMS alive year-round. But in the run-up to a surveillance audit, focus on:
- Close prior findings first. Confirm every nonconformity from the last audit is closed with evidence. This is non-negotiable.
- Confirm the cadence ran. Internal audits done, management review held, access reviews performed - with dated records.
- Refresh risk and SoA. Update the risk assessment and Statement of Applicability for any changes since the last audit.
- Map your changes. List significant changes (new systems, people, structure, risks) and how the ISMS handled each.
- Make evidence findable. The auditor samples; if records exist but cannot be located quickly, it reads as a control failure.
- Brief the people who will be interviewed. Control owners should be able to explain their controls and show the evidence.
For service providers whose clients rely on continued certification, a clean surveillance history is itself a client-trust asset - see our IT service provider guide.
6. If You Get a Finding
Findings are normal and not the end of the world - how you respond matters more than getting zero:
- Minor nonconformity. Common and manageable. You submit a corrective action plan and evidence of remediation within an agreed timeframe; the certificate continues uninterrupted.
- Major nonconformity. More serious. It must be addressed promptly, sometimes with a follow-up audit to verify closure. Left unresolved, a major can lead to suspension or withdrawal of the certificate.
- Opportunities for improvement. Not findings at all - auditor suggestions you may adopt or not.
The practical reality: surveillance audits rarely fail outright when the ISMS has genuinely been operating. Failures almost always trace to a system that went quiet, not to bad luck on a sampling day.
Need to keep your certificate strong?
SecComply runs the ISMS cadence between audits - internal audits, management reviews, risk updates, evidence retention - and prepares you for surveillance and recertification so they pass without drama.
Book an ISMS maintenance call โFAQ
A surveillance audit is a lighter annual check the certification body conducts in the years between your initial certification and recertification. ISO 27001 certificates run on a three-year cycle: you pass the Stage 1 and Stage 2 certification audit, then surveillance audits in years one and two confirm the ISMS is still operating and improving, and a recertification audit in year three renews the certificate. Surveillance audits sample a subset of the ISMS rather than examining everything.
The certification (Stage 2) audit examines the entire ISMS against the standard. A surveillance audit is narrower - it samples a subset of controls and always checks certain mandatory areas: that prior nonconformities have been closed, that internal audits and management reviews have continued, that the ISMS is being maintained and improved, and that significant changes to scope or risk have been handled. It is shorter and less exhaustive, but failing it can still jeopardise your certificate.
Certain areas are checked at every surveillance audit regardless of sampling: closure of prior nonconformities, the internal audit programme and its results, management review records, the corrective action and continual improvement process, handling of complaints and incidents, and any changes to the scope, structure, or risk profile of the organisation. Use of the certification mark and logo is also verified. Beyond these, the auditor samples a rotating subset of Annex A controls so that the whole ISMS is covered across the three-year cycle.
Minor nonconformities are common and are resolved by submitting a corrective action plan and evidence of remediation within an agreed timeframe - the certificate continues. Major nonconformities are more serious: they must be addressed promptly, sometimes with a follow-up audit, and if left unresolved can lead to suspension or withdrawal of the certificate. The practical point is that surveillance audits rarely fail outright if the ISMS has genuinely been operating; failures usually trace to an ISMS that went dormant after certification.
Keep the ISMS alive all year rather than scrambling before the audit. That means running internal audits on schedule, holding management reviews, closing nonconformities and tracking corrective actions, maintaining current risk assessments and the Statement of Applicability, and keeping evidence (access reviews, logs, incident records, training) continuously. Before the audit, confirm prior nonconformities are closed with evidence, review changes since the last audit, and make sure the documents and records the auditor will sample are current and findable.
Yes, and the surveillance audit specifically looks at how you handled change. New systems, acquisitions, new product lines, organisational restructures, or significant new risks should be reflected in an updated risk assessment, Statement of Applicability, and where relevant the certified scope. Unmanaged change - a major new system never risk-assessed, for example - is a common source of surveillance findings.