Getting ISO 27001 certified is the milestone most organisations focus on. What comes after it — the ongoing audit cycle that keeps the certificate valid — is less well understood, and the gap in preparation often shows.
Certification is issued for three years. During that period, your certification body conducts surveillance audits — typically in year one and year two — to verify that your ISMS is still operating effectively. In year three, the certificate expires and must be renewed through a recertification audit. Each type of audit has a different scope, a different feel, and different things that tend to go wrong.
This guide explains the full post-certification cycle, what each audit involves, and how to stay prepared throughout the three years rather than scrambling in the weeks before each visit.
The Three-Year Certification Cycle
ISO 27001 certificates are issued with a three-year validity period. The certification body’s audit programme across those three years typically looks like this:
The ISO 27001 Three-Year Certification Cycle
What happens after certification — and what changes at each audit
Initial certification involves two stages. Stage 1 is a documentary review — the auditor examines your ISMS documentation to assess readiness for a full assessment. Stage 2 is the certification audit — a thorough evaluation of whether your ISMS meets the requirements of the standard across the full scope. If Stage 2 is successful and any nonconformities are resolved, the certificate is issued.
Surveillance audit 1 usually takes place six to twelve months after certification, depending on your certification body’s schedule. It is a shorter, sampled audit — not a full re-examination of everything covered at Stage 2, but a focused review of whether your ISMS remains operational and effective.
Surveillance audit 2 typically takes place twelve months after surveillance audit 1. Its format is similar to the first surveillance, though the auditor will often sample different areas of your Annex A controls to build coverage over the three-year period.
Recertification audit takes place before the three-year certificate expires. It is a more thorough audit than surveillance — closer in scope to the original Stage 2 — and resets the three-year cycle. A successful recertification issues a new certificate for the next three years.
The exact scheduling and duration of each audit is governed by your certification body’s procedures and the IAF (International Accreditation Forum) mandatory documents that define audit time requirements. Organisations with more complex operations, larger staff counts, or broader ISMS scopes will typically face longer audit durations at each stage.
What Changes After Certification
Many organisations treat ISO 27001 as a project with a defined end point — the certificate. The first surveillance audit often reveals whether that view was correct.
If the ISMS was built genuinely — with controls that actually operate, a risk assessment that reflects reality, and management that takes the process seriously — surveillance is usually straightforward. The auditor will find evidence of a functioning system and the audit feels like a normal review.
If the ISMS was built primarily to pass the certification audit — with documentation that was produced for the occasion but is not actively used — the cracks tend to appear at the first surveillance. Risk assessments that have not been updated. Internal audits that were conducted once and not repeated. Management review minutes that are difficult to find. Corrective actions from the certification audit that were logged but never fully resolved.
The surveillance audit is specifically designed to identify the difference between these two situations. It is not a repeat of the certification audit — it is an assessment of whether the ISMS has remained alive in the months since.
Surveillance Audit 1: What to Expect
Duration and Format
Surveillance audits are shorter than the initial Stage 2. For a small organisation — typically up to around fifty staff — a surveillance audit might be a single day, or even half a day for a very small and well-documented ISMS. Larger organisations will face longer durations proportionate to their complexity.
The format typically follows the same structure as a Stage 2: an opening meeting, the audit itself (a combination of document review, interviews with staff, and observation of processes), and a closing meeting where findings are presented.
What the Auditor Will Always Check
There are certain areas that every surveillance audit will cover because they are the clearest indicators of whether the ISMS is functioning as a management system rather than as a static document set.
Previous audit findings. The first thing most auditors review is the list of nonconformities and observations from the certification audit. Were they properly closed? Is there documented evidence of the corrective actions taken and their effectiveness? An unclosed major nonconformity from the certification audit is an immediate concern. Minor nonconformities that were closed on paper but have not been verified as effective are also a common finding.
Internal audit programme. Has at least one internal audit taken place since certification, covering areas appropriate to your ISMS scope? The internal audit must be planned, conducted by competent auditors (who should be independent of the areas being audited), and documented with findings and a report. Many organisations find that the internal audit they conducted during the certification process counts as their pre-certification audit, and they have conducted nothing since. This is a gap.
Management review. Has management review taken place, covering the required inputs under Clause 9.3? The auditor will ask to see the management review minutes. These should be substantive — covering security performance data, audit results, risk assessment status, objectives progress, and changes in context — not a brief meeting with minimal recorded discussion.
Risk assessment status. Has the risk assessment been reviewed or updated since certification? If your organisation has changed — new systems, new services, new suppliers, new staff, a change in your operating environment — and the risk assessment has not been revisited, that is a gap. If nothing material has changed and you can demonstrate that a periodic review confirmed the risk assessment remains current, that is acceptable, but it needs to be documented.
Corrective actions and improvement. Is there evidence that nonconformities are being raised, investigated, and addressed? An ISMS that has produced no corrective actions since certification does not look like a functioning improvement system — it looks like one where nobody is looking hard enough.
What Gets Sampled
Beyond the mandatory areas, the auditor will sample a selection of your Annex A controls. They will not revisit everything covered in the Stage 2 — they will focus on areas relevant to any changes in your organisation, any areas flagged at the previous audit, and a rotation of controls to build coverage over the three-year period.
Common areas sampled at surveillance include access control, supplier management, training and awareness records, incident management, and business continuity. The auditor may also follow up on any specific technical controls that were of interest at the Stage 2.
What Tends to Go Wrong
The most frequent findings at first surveillance audits are not exotic. They are predictable gaps that arise when organisations stop running their ISMS actively after certification:
- Internal audit not conducted since certification, or conducted but not documented
- Risk assessment not reviewed following a change in the business
- Management review minutes that are too thin to demonstrate that required inputs were addressed
- Training records incomplete, particularly for new starters who joined after certification
- Supplier assessments overdue for one or more significant suppliers
- Corrective actions from the certification audit marked closed without verification evidence
The pattern behind most of these is the same: the ISMS was given attention in the run-up to certification and less attention in the months afterwards. Surveillance is where that shows.
Surveillance Audit 2: What to Expect
The second surveillance audit follows a similar format to the first. The auditor will again review the mandatory areas — internal audit, management review, risk assessment, previous findings — and sample a different selection of Annex A controls.
By year two, the auditor has now seen your ISMS in operation for approximately two years. They will look for evidence of continuity and maturity: whether the issues identified at surveillance one have been genuinely addressed, whether your metrics show any trend over time, and whether your ISMS is evolving as your organisation changes.
One area that receives more attention in year two is whether your Annex A controls are still proportionate. If your organisation has grown significantly, taken on new high-risk processing activities, or changed its technology infrastructure, controls that were adequate at certification may no longer be sufficient for your current risk profile.
The auditor will also be building towards the recertification audit. Any significant gaps in year two will need to be resolved before recertification — either as corrective actions with evidence, or as demonstrable improvements in the period before the recert visit.
Recertification Audit: What to Expect
The recertification audit takes place before the three-year certificate expires. It is a full re-assessment — broader in scope than surveillance, and closer in approach to the original Stage 2. Its purpose is to determine whether your ISMS continues to conform to the requirements of ISO 27001 and warrants the issue of a new certificate.
How It Differs from Surveillance
A surveillance audit samples. A recertification audit covers. While it will not repeat every test from the original Stage 2 with identical rigour, it will systematically review all areas of the ISMS — the mandatory clauses, the Statement of Applicability, and a comprehensive sample of Annex A controls across all categories.
Recertification audits also tend to take longer than surveillance visits. For a small organisation, you might expect a recertification to take one and a half to two days, compared to a single day for surveillance.
The auditor conducting the recertification may be different from the auditors who conducted your surveillance visits, particularly if your certification body has rotated personnel. A fresh pair of eyes will bring different observations — sometimes surfaces issues that had not been noticed in the previous cycle.
What the Recertification Auditor Will Review
The complete three-year picture. The auditor will want to see evidence of ISMS operation over the full certificate period, not just recent months. This means your internal audit records, management review minutes, and corrective action register should cover the entire three years. A well-maintained ISMS has records going back to certification. One that has been “refreshed” in the weeks before recertification will often look exactly like what it is.
The Statement of Applicability. Is the SoA still current? Does it reflect your current control set? If controls have been added, removed, or changed, the SoA should have been updated to reflect this. An SoA that is identical to the one produced three years ago, despite changes to the business, is a common finding.
Objectives and performance. What information security objectives were set at the start of the period? Were they achieved? What new objectives are being set for the next three years? The recertification audit is an opportunity to demonstrate strategic thinking about information security, not just operational compliance.
Evolution of the ISMS. Has the ISMS developed over three years in response to changes in the organisation, the threat landscape, and the lessons learned from incidents and audits? An ISMS that looks materially identical to how it was at initial certification — with no updated policies, unchanged risk registers, and the same controls — suggests a system that has been maintained on paper rather than actively managed.
Common Recertification Failures
Recertification failures — major nonconformities that result in certification not being renewed — are less common than surveillance issues, because organisations generally prepare more thoroughly. But they do happen, and the causes are usually systemic rather than isolated:
- The internal audit programme has not covered all ISMS areas across the three-year period
- The risk assessment has never been updated since initial certification, despite significant changes to the organisation
- A major nonconformity from a surveillance audit was addressed in documentation but the underlying problem has not changed
- Key evidence of control operation is missing for extended periods, suggesting controls were documented but not operated
Staying Prepared Throughout the Three Years
The organisations that find surveillance and recertification straightforward are not those that prepare intensively in the weeks before each audit. They are those that run their ISMS continuously and maintain their evidence trail as a matter of course.
Surveillance Audit Preparation Checklist
Have these ready before your auditor arrives — covering the areas always reviewed at surveillance
Practical habits that make a significant difference:
Maintain your corrective action register actively. Every nonconformity raised — whether by an external auditor, your internal audit, or self-identified — should go into the register, be assigned an owner, have a target date, and be closed with documented verification. An auditor reviewing a well-maintained corrective action register over three years sees evidence of a functioning system.
Run internal audits on a schedule, not ad hoc. Your internal audit programme should cover all areas of the ISMS within the three-year period, with at least one internal audit per year. Document the plan, the findings, and the corrective actions that result. Internal auditors should be competent and independent of the areas they audit.
Review your risk assessment when things change. New systems, new suppliers, new services, significant staff changes, a security incident, a change in the regulatory environment — any of these should trigger a risk assessment review. You do not need to redo the entire risk assessment from scratch, but you need to document that you considered whether the change affects your risk profile.
Make management review substantive. The management review is the most visible evidence that information security is a leadership responsibility, not a technical one. If the minutes consist of two pages of agenda items all marked “no change required,” that is not a management review that demonstrates leadership commitment. Make the discussion real and record what was discussed and decided.
Update your documentation when it changes. Policies, procedures and records that have a version history, are reviewed on schedule, and show evidence of approval are significantly more convincing than documents that are undated, unversioned, or last reviewed at implementation.
FAQs
Can we choose when our surveillance audit takes place?
To some extent. Your certification body will set the overall schedule based on your certification date and their audit programme, but there is usually some flexibility in the specific date within a window. If your organisation is going through a significant change — a major system implementation, a restructure, or an unusually busy operational period — it is worth discussing the timing with your certification body. Most will accommodate reasonable requests for scheduling adjustments.
What happens if we get a major nonconformity at a surveillance audit?
A major nonconformity at surveillance puts your certificate at risk. The certification body will set a timescale within which the nonconformity must be resolved — often 90 days — and will typically require a follow-up audit visit or a substantial evidence submission to confirm resolution. If the nonconformity is not resolved within the agreed timescale, the certificate can be suspended. Suspension means the certificate cannot be used in business claims or customer documentation until it is lifted. If suspension extends beyond a further defined period without resolution, withdrawal is possible. In practice, most organisations address major nonconformities before withdrawal becomes a reality, but the reputational and commercial implications of even a suspension can be significant.
Does the auditor change between surveillance and recertification?
It varies by certification body. Some maintain the same lead auditor throughout the three-year cycle for continuity; others rotate periodically. If your auditor changes significantly between cycles, it is reasonable to ask the certification body about continuity arrangements. A new auditor will review the audit history but will bring their own perspective and may notice things differently. This is not inherently a problem — a fresh perspective sometimes catches things that familiarity has obscured.
How long in advance should we start preparing for recertification?
If your ISMS is running continuously, the preparation period is shorter — a review of documentation currency, a check that the corrective action register is up to date, and confirmation that the internal audit programme is complete. For organisations that have been less active in maintaining their ISMS, six months is a realistic minimum preparation period: enough time to conduct a thorough internal audit, run a management review, update documentation, and address any gaps before the external auditor arrives.
Can we change certification body between certification cycles?
Yes, and some organisations do — particularly if they are dissatisfied with their current certification body’s service, or if they want a certification body with better sector-specific recognition. Changing at the end of a three-year cycle (before recertification) is the most practical point to do so. The new certification body will typically conduct their own initial assessment rather than simply accepting the previous body’s certification history, which means a fresh audit process — effectively a new Stage 1 and Stage 2. This has implications for cost and timing that are worth factoring in.
