Achieving ISO 27001 certification is significant. Maintaining it is the longer game — and one that catches organisations off guard more often than the initial certification does.
The three-year certification cycle is structured so that certification bodies can maintain reasonable confidence that certified organisations continue to operate their ISMS effectively between audits. But the structure only works if you understand what each stage involves and what happens if you fall behind.
This guide explains the full post-certification lifecycle: what surveillance audits involve, how recertification differs from initial certification, and how to avoid the most common maintenance pitfalls.
The Three-Year Cycle: An Overview
ISO 27001 certificates are issued for a three-year period, not indefinitely. Within that three-year period, the certification body conducts:
- Year 1: Surveillance Audit 1 (SA1) — a sampled review confirming the ISMS is still operating effectively
- Year 2: Surveillance Audit 2 (SA2) — a further sampled review, typically covering different control areas than SA1
- Year 3: Recertification Audit — a more comprehensive re-assessment that resets the certification cycle
If the surveillance audits are not conducted on schedule, or if the recertification audit is not completed before the certificate expires, the certificate lapses. A lapsed certificate is the same as no certificate — and some certification bodies will require a fresh Stage 1 and Stage 2 process to reinstate it.
Surveillance Audits: What to Expect
Surveillance audits are shorter than the original Stage 2 certification audit — typically half a day to one day for most small and medium organisations. They are not a comprehensive reassessment of your entire ISMS. Instead, they focus on:
Mandatory areas reviewed at every surveillance audit: – Status of nonconformities from the previous audit — have they been closed, and was closure effective? – Internal audit — has it been conducted, and has it produced findings? – Management review — has it taken place, and does it cover all required inputs? – Risk assessment — has it been reviewed, and has it been updated following significant changes? – Information security objectives — have they been reviewed and progressed? – Sample of Annex A controls — rotated between SA1 and SA2 to cover different areas
What auditors are not doing at surveillance: – Reviewing every clause of the standard in depth – Re-examining areas already covered thoroughly at the previous audit – Conducting a comprehensive control effectiveness assessment
The surveillance audit is designed to confirm continued operation, not to revalidate the entire ISMS. Organisations that run their ISMS consistently throughout the year — rather than preparing in the weeks before the audit — find surveillance audits straightforward.
What Auditors Actually Want to See at Surveillance
The most common gaps found at surveillance audits are not failures of sophisticated security controls. They are failures of basic ISMS maintenance:
Internal audit not completed. The most frequent finding. Many organisations conduct one internal audit in preparation for initial certification and then let the audit programme lapse. By SA1, a full 12-month period has elapsed and no internal audit has been conducted. This is a nonconformity.
Management review not completed. Similar issue — the management review takes place before initial certification and then is not repeated until the certification body asks for evidence. Annual management review is a minimum.
Risk assessment unchanged since implementation. If your organisation has changed significantly — new systems, new services, new suppliers, new threats — and your risk assessment still reflects the world as it was two years ago, that is a gap.
Corrective actions not closed. Findings from the previous audit (or from your internal audit) that were reported as closed but where no effective corrective action was actually implemented. Auditors follow up on previous findings and verify closure with evidence, not just assertion.
Training records not maintained. New starters who have not received security awareness training, annual refresher training not conducted for existing staff.
What Changes Between SA1 and SA2
Surveillance audits are not identical. Certification bodies rotate the Annex A controls they sample between SA1 and SA2 to ensure broader coverage of the control set over the three-year cycle without duplicating effort.
SA1 might focus on access control, incident management, and supplier security. SA2 might focus on physical security, business continuity, and cryptography. The mandatory areas — internal audit, management review, risk assessment, previous findings — are reviewed at both.
Some certification bodies provide advance notice of which control areas they intend to sample at each surveillance audit; others do not. Either way, the best preparation is a consistently operated ISMS rather than targeted preparation for specific controls.
The Recertification Audit: How It Differs
At the end of year three, the recertification audit is a more substantial exercise than a surveillance audit. It is closer in scope to the original Stage 2 audit — a comprehensive review of the ISMS rather than a sampled check.
At recertification, the auditor will:
Review the full three-year period. Unlike surveillance, which looks at the period since the last audit, recertification reviews the ISMS over its entire three-year lifecycle. Evidence of consistent operation throughout the period is expected — not just recent activity.
Reassess the Statement of Applicability. Has the SoA been kept current? Does it still accurately reflect the controls applicable to your ISMS? Changes in scope, new services, or changes in the risk landscape may require SoA updates.
Sample a broader range of Annex A controls. Recertification is not limited to the rotation used at surveillance — it may revisit areas covered at surveillance as well as areas not previously sampled.
Assess ISMS maturity and evolution. Auditors at recertification will consider whether the ISMS has developed over the three years. An ISMS that looks identical to how it did at initial certification — unchanged risk assessment, unchanged procedures, unchanged objectives — raises questions about whether continual improvement has genuinely occurred.
Set the baseline for the next cycle. Findings at recertification carry forward as the starting point for the next three-year cycle. Addressing any significant issues before recertification is more efficient than entering a new cycle with open nonconformities.
The ISO 27001 Three-Year Cycle: What Changes at Each Stage
Surveillance audits confirm ongoing operation — recertification is a fuller re-assessment
Preparing for Recertification
The best preparation for recertification is the same as for surveillance: run your ISMS consistently and maintain evidence throughout the year. Organisations that treat recertification as a one-time event — scrambling to compile evidence in the months before the audit — are at greater risk of findings and are doing significantly more work than necessary.
Specific preparation activities in the three to six months before recertification:
Review your scope statement. Has the business changed in ways that require the scope to be updated? New products, new locations, changes to organisational structure?
Review and update your risk assessment. Has it been reviewed within the last 12 months? Does it reflect current threats, current systems, and current business activities?
Confirm your SoA is current. Are all 93 controls assessed for applicability? Is the justification for each applicable control still accurate? Are any controls that were previously inapplicable now relevant?
Compile a three-year evidence trail. Management review minutes from each year. Internal audit reports and evidence of corrective action closure. Training records. Incident log. Risk treatment plan updates. This is the evidence that the ISMS has been operating — not just documented — for three years.
Complete any outstanding corrective actions. Open nonconformities entering recertification create unnecessary risk. Where possible, close outstanding actions and document effectiveness verification before the audit.
Conduct a full internal audit covering the recertification scope. A comprehensive internal audit in advance of recertification provides a structured way to identify and address gaps before the external auditor does.
Recertification Preparation: A Timeline
Most recertification problems are caused by years 1–2 inaction — not year 3 preparation failures
What Happens If the Certificate Lapses?
If a certificate lapses — because surveillance was not conducted on schedule or because recertification was not completed before expiry — the organisation is no longer certified. The practical implications:
- You cannot claim ISO 27001 certification in any commercial context
- Customers who have contractual requirements for certification may require you to re-certify as a condition of contract renewal
- The certification body will typically require a fresh assessment to reinstate — in some cases this means repeating the Stage 1 and Stage 2 process
Certificate lapse is more common than organisations expect. The most frequent cause is administrative — certification renewal is not tracked properly, or the organisation changes certification body without ensuring continuity of the audit schedule.
Keep the expiry date in a visible location, ensure renewal is tracked as a business obligation, and engage your certification body well in advance — most require a booking lead time of several weeks, and you need the audit completed before the expiry date, not on it.
Common Mistakes
Letting the ISMS idle between audits. The ISMS should be a living programme, not a set of documents that gets dusted off before each audit. Organisations that maintain ongoing operations — regular management reviews, active risk management, continuous training — consistently find audits easier and less stressful.
Mismanaging nonconformity closure. Reporting a nonconformity as closed before the corrective action has been implemented and verified is a finding in itself. Auditors look for evidence of effectiveness, not just a record that an action was taken.
Losing internal audit momentum. Many organisations have a strong internal audit in year one and then find the programme loses energy. Year two and three internal audits become thinner, less documented, or delayed. By recertification, a three-year internal audit trail should show consistent activity.
Not planning for certification body changes. If you change certification body mid-cycle, the new body typically needs to conduct an abbreviated Stage 1 assessment before taking over the audit cycle. This can create timing complications if not managed carefully.
FAQs
Can we change certification body for recertification?
Yes. You are free to switch certification bodies. The new body will typically conduct a transfer audit or abbreviated assessment to confirm they understand your ISMS before certifying it. This is good practice, but creates additional work compared to continuing with the same body. Transfer timing needs to be managed carefully to avoid a gap in certification.
What is the difference between a minor and major nonconformity at surveillance?
A minor nonconformity is a single lapse or gap that does not indicate a systemic failure — a missing record, an overdue review. A major nonconformity represents a systemic failure or a gap that undermines a key requirement of the standard. Major nonconformities at surveillance must be remediated before the audit can be closed and the certificate maintained. Multiple unresolved minor nonconformities can be upgraded to major.
Can a certificate be suspended rather than lapsed?
Yes. Certification bodies can suspend a certificate where significant issues are identified that require remediation. During suspension, the organisation cannot claim certification. The certificate is reinstated once the issues are resolved and verified. Suspension is typically used where there are serious nonconformities but the certification body believes they can be addressed without full recertification.
Does the three-year cycle reset at recertification or at the original certification date?
At recertification. The new three-year cycle begins from the date the recertification audit is completed and the new certificate is issued — not from the original certification date. If recertification occurs early (before the original certificate expires), the new cycle starts from the recertification completion date.
How far in advance should we book the recertification audit?
Most certification bodies recommend booking at least three to four months in advance. The audit needs to be completed before the certificate expiry date — not scheduled to start on the expiry date. Factor in time for audit preparation, the audit itself, any post-audit finding closure, and the certification body’s decision process. Six months lead time is a comfortable margin for most organisations.
