The 3-Year Certification Cycle
ISO 20000 certification is valid for three years. The certification cycle unfolds as: Initial certification (Stage 1 and Stage 2) → Year 1 surveillance audit → Year 2 surveillance audit → Year 3 recertification (full audit similar to initial certification) → renewed three-year certification. Understanding this cycle helps organizations plan their audit schedules and resource allocation.
What Surveillance Audits Are
Annual (or more frequent) surveillance audits verify that the SMS continues to meet ISO 20000 requirements and that findings from previous audits have been addressed. A surveillance audit is not a full re-audit of the entire SMS; it is a targeted review focusing on (1) areas where nonconformities were raised in the previous audit, (2) changes to the organization or SMS since the last audit, (3) a rotating sample of Clause 8 practices (to ensure all practices are sampled at least once during the three-year cycle), (4) management review and internal audit outputs, and (5) service performance trends. A typical surveillance audit lasts 1–2 days, much shorter than the initial Stage 2.
What Auditors Look For at Surveillance
Corrective Action Closure from Stage 2 Findings
Any major or minor nonconformities raised at Stage 2 are revisited. Auditors verify that the corrective actions were not just documented, but genuinely implemented and working. For example, if the Stage 2 finding was "Incident records are not consistently showing SLA status," the auditor at Year 1 surveillance will sample incident records again to confirm that SLA status is now being tracked consistently.
New Services or Significant SMS Changes
If the organization has added new services, expanded to new locations, or made significant changes to the SMS scope, auditors want to verify that these changes were managed through the SMS change management process and that the scope was updated and approved. Organizations sometimes add services informally without updating the scope document; this is a red flag to auditors.
Management Review and Internal Audit Activity
Auditors examine management review minutes from the past 12 months. They verify that management reviews have been held and that all required inputs have been covered. They examine internal audit reports to confirm that audits are covering all clauses and that findings are being addressed.
Service Performance Trends
Auditors want to see that service performance is stable or improving, not declining. If SLA achievement was 90% at Stage 2 and has dropped to 75% at Year 1 surveillance, that is a concern. If problem resolution time is getting longer or incident escalation rates are increasing, those are negative trends. Auditors ask about trend analysis: "Your availability went from 98% last quarter to 95% this quarter. What changed? What are you doing to recover?"
The SMS Between Audits
The danger of "audit cycle compliance" is real: organizations that maintain SMS discipline only in the weeks before audits and let it slip between audits. How do auditors detect this? They look at when records were created or updated. If all management review minutes, improvement records, and internal audit reports are dated in the month before the audit, that is suspicious. If incident records, problem records, and change records are sporadic and then suddenly dense in the weeks before audit, that suggests the SMS is not running continuously. To maintain genuine SMS discipline, ensure that all continuous activities (monthly service reporting, weekly or bi-weekly problem review, regular change management, monthly CMDB verification, quarterly internal audit activity) are running 12 months a year, not just around audit time.
SMS Maintenance Activities That Must Run Continuously
Between surveillance audits, the organization must maintain these ongoing SMS activities: monthly service reporting (with availability and SLA metrics), CAB meetings with documented minutes (typically weekly or bi-weekly), problem management review (weekly or bi-weekly), CMDB verification (quarterly sampling), customer satisfaction measurement (at least annually), supplier performance review (at least annually), and improvement register maintenance (continuous updates as improvements are identified and implemented). These activities generate the evidence that auditors will review at surveillance.
Year 3 Recertification
At Year 3, the organization must undergo a full recertification audit similar in scope to the initial Stage 1 and Stage 2. The scope may be reviewed and updated (have new services been added? has the scope expanded or contracted?). The service management plan must be reviewed and updated to reflect the current state of the SMS. New services added since initial certification may be included in the SMS scope if they meet the criteria. The recertification process timeline includes Stage 1 (typically 1 day), remediation of findings (2–4 weeks), Stage 2 (typically 2–4 days), remediation of Stage 2 findings (4–8 weeks), and certification decision (2–3 weeks). Plan six months before your certificate expires to ensure scheduling slots are available.
Certificate Suspension and Withdrawal
A certification body may suspend or withdraw a certificate in limited circumstances: (1) A major nonconformity is not resolved within the agreed timescale (typically 8 weeks). (2) A significant scope change (e.g., adding a major new service or location) is not notified to the CB and approved. (3) Fraud or misrepresentation is discovered (e.g., records were falsified for the audit). (4) Continued operation of the SMS is halted. If a certificate is suspended, the organization typically has 90 days to remediate and request reinstatement. If a certificate is withdrawn, the organization has lost certification and must re-apply for certification through the entire Stage 1 and Stage 2 process.
| KEY CONCEPT | Maintaining ISO 20000 certification is an ongoing discipline, not a periodic sprint. Organizations that treat SMS maintenance as an annual event around audit time consistently struggle at surveillance audits or lose certification at recertification. Run the SMS continuously; the audits will confirm what you have been doing all year. |
Scope Changes During the Certification Cycle
The SMS scope is fixed at initial certification. If the organization wants to add a significant new service, location, or customer base to the SMS scope during the three-year certification cycle, this must be agreed with the CB. Some CBs allow minor scope expansions at surveillance audits; others require a formal scope change approval. Attempting to add services to the SMS without notifying the CB risks having the certificate suspended as "scope not accurate." If you are planning scope expansion, notify the CB 2–3 months in advance and discuss how the expansion will be managed.
| IMPORTANT | Scope changes must be agreed with the CB. Adding significant new services to the SMS without notifying the CB may result in certificate suspension. The scope statement is the most fundamental document in the SMS; keep it current and accurate. |
3-Year Certification Cycle Activities
| Year | Certification Activity | Required SMS Evidence | Duration |
|---|---|---|---|
| Year 0 (Initial) | Stage 1 Audit: Documentation and readiness review | Scope, SMP, policy, procedures, risk assessment, internal audit plan | 1 day on-site or remote |
| Year 0 (Initial) | Remediation of Stage 1 findings | Evidence of closure of major findings | 4–8 weeks |
| Year 0 (Initial) | Stage 2 Audit: Implementation and operational evidence | 3 months of incident, problem, change, SLA, availability records; interviews; process observation | 2–4 days on-site |
| Year 0 (Initial) | Remediation of Stage 2 findings | Corrective action plans; closure evidence for major nonconformities | 4–8 weeks |
| Year 0 (Initial) | Certification Decision | All major nonconformities closed; certification issued | 2–3 weeks after Stage 2 closure |
| Year 1 | Surveillance Audit | Stage 2 findings closure verification; changes to SMS; rotating Clause 8 sample; management review; internal audit outputs | 1–2 days on-site or remote |
| Year 1 | Remediation of surveillance findings | Evidence of closure for any new nonconformities | 4–8 weeks |
| Year 2 | Surveillance Audit | Same scope as Year 1; verification of Year 1 finding closure; continued SMS operation | 1–2 days on-site or remote |
| Year 2 | Remediation of surveillance findings | Evidence of closure for any new nonconformities | 4–8 weeks |
| Year 3 (Final) | Recertification Audit – Full Stage 1 + Stage 2 | Current scope; updated SMP; management review and internal audit outputs; 3 months of recent operational evidence | 2–4 days on-site |
| Year 3 (Final) | Remediation of recertification findings | Corrective action plans and closure evidence | 4–8 weeks |
| Year 3 (Final) | New Certification Issued | Certificate valid for next 3 years | 2–3 weeks |
| BITLION INSIGHT | Bitlion GRC provides continuous compliance monitoring and surveillance audit preparation tools that help organizations track which SMS activities have been performed throughout the year and which areas are likely to be auditor focus points at the next surveillance. |