Surveillance audits are where the majority of organizations that certify well fail to maintain. The preparation discipline that produced a clean certification audit — organized evidence, operational controls, engaged management — relaxes after the certificate arrives, and the surveillance audit twelve months later finds what relaxed discipline produces.
This is not inevitable. Organizations that treat surveillance audits as the natural continuation of the ISMS operational cycle — not as separate compliance events — find them unremarkable. The evidence is current because it was collected as a byproduct of control operation. The risk register is updated because it was reviewed at management review. The corrective actions are closed because they were tracked to completion, not left open until the auditor asked.
This article covers the complete surveillance and recertification cycle: what surveillance audits focus on, how they differ from initial certification, how to prepare without the last-minute scramble, the maturity progression across certification cycles, and the specific preparation timeline for the Year 3 recertification audit.
Three Audits, Three Purposes
The three-year certification cycle contains three audit events, each with a distinct purpose and scope. Understanding how they differ prevents over-preparation for surveillance audits (which are sampled, not full re-audits) and under-preparation for recertification (which is a full re-audit):
SURVEILLANCE 1 Timing: Month ~12 Scope: Sample — typically 30–50% of total scope areas Depth: Focuses on areas of highest risk, previous findings, and organizational change since certification. Not a full clause-by-clause review. Duration: 1–2 auditor days Output: Surveillance report. Certificate maintained if no unresolved major NCs. | SURVEILLANCE 2 Timing: Month ~24 Scope: Sample — different areas from Surveillance 1. Together, Years 1 and 2 should cover most of the ISMS. Depth: Auditor may specifically cover areas not sampled in Year 1. Previous findings from Surveillance 1 will be followed up. Duration: 1–2 auditor days Output: Surveillance report. Certificate maintained if no unresolved major NCs. | RECERTIFICATION Timing: Month ~33–36 Scope: Full scope — all clauses 4–10, all applicable Annex A domains, all in-scope business units. Depth: A full re-audit comparable in depth to the original Stage 2. Not a token review — auditors test the full ISMS. Duration: 2–4 auditor days Output: Recertification report. New 3-year certificate issued if conformant. |
| THE SURVEILLANCE SAMPLING PRINCIPLE | Surveillance audits do not cover the full ISMS scope in a single audit. They sample — auditors select areas based on risk, previous findings, and organizational change. This means high-risk areas and areas with previous findings are always in scope, while other areas are sampled across the two-year surveillance period. By the end of Year 2, the CB will typically have audited most of the ISMS across both surveillance visits — setting the baseline for the recertification audit. |
What Surveillance Audits Focus On
Surveillance auditors come with a specific set of mandatory focus areas and a risk-based set of sampled areas. Understanding both categories allows organizations to prioritize preparation effort appropriately:
| Area of focus | Always? | Why it's in scope | What the auditor tests |
| Corrective actions from previous audit | Always | Every finding from the Stage 2 audit (and any subsequent audit) is followed up at the next surveillance. Auditors specifically check whether stated corrective actions were implemented and whether they were effective. | Requests the CAR register entries for all previous findings. Reviews the corrective action response submitted to the CB. Tests whether the corrective action is still in effect — not just whether it was documented. |
| Clause 9 — Performance monitoring | Always | Evidence that the ISMS has been monitored and managed over the past 12 months — not just re-assembled for the audit. Management review minutes, internal audit reports, and KPI data are primary targets. | Requests management review minutes since certification. Checks all 8 Clause 9.3.2 inputs are addressed. Reviews internal audit reports for finding quality and CAR follow-through. |
| Clause 10 — Improvement activity | Always | Evidence that the ISMS has been improving — not static. Corrective action records, improvement register activity, and management review improvement decisions are all in scope. | Reviews CAR register for activity since certification. Checks whether improvement decisions from management reviews were implemented. May ask the ISMS Manager what the three most significant improvements in the past year have been. |
| Changes to the ISMS since certification | Always | Any significant organizational change, technology change, regulatory change, or scope change that has occurred since the last audit. The auditor tests whether ISMS documentation was updated and whether new risks were assessed. | 'Walk me through the significant changes to your organization since we last audited.' Expects: updated risk register entries, SoA updates, policy revisions, or documented confirmation that no changes affected the ISMS. |
| Sample of Annex A technical controls | Sampled | Surveillance auditors sample technical controls — typically the areas of highest risk or the areas where Stage 2 findings were made. MFA deployment completeness, vulnerability management, and access controls are frequently retested. | Requests current IAM report, latest vulnerability scan results, most recent access review records. May request live demonstration of a control's operation. |
| Security awareness program evidence | Sampled | Awareness training is frequently sampled at surveillance — it is one of the most commonly cited areas where post-certification discipline degrades. Phishing simulation results and training completion rates are requested. | Requests LMS completion report for all in-scope staff. Asks for phishing simulation results since certification. May interview a non-ISMS staff member. |
| Supplier security management | Sampled | Supplier management gaps are common at surveillance — new suppliers onboarded without security review, monitoring reviews not conducted, DPAs not updated when UU PDP compliance work progressed. | Checks supplier register currency. Verifies top 3 critical suppliers have been monitored since certification. Tests whether any new suppliers were onboarded with security review. |
The four 'Always' areas in the table above — previous finding follow-up, Clause 9 performance monitoring, Clause 10 improvement activity, and changes since certification — are audited at every surveillance regardless of what else is in scope. Organizations that maintain these four areas well between audits will almost always have clean surveillance results, even if sampled areas show minor gaps.
Surveillance Preparation: The 6-Week Window
Surveillance preparation should not be a sprint — it should be the final confirmation that the post-certification calendar has been running successfully. The 6-week window before a surveillance audit is for verifying evidence currency and addressing any gaps found, not for constructing evidence from scratch. If 6 weeks before the audit the evidence library needs to be rebuilt, that signals the ISMS has not been operating as designed between audits.
The checklist below covers the four evidence and documentation areas that should be verified in the 6 weeks before surveillance:
| Evidence currency (6 weeks before audit) |
☐ Access review — at least 3 quarterly cycles evidenced since certification. Most recent completed within 90 days of audit. ☐ Vulnerability scans — at least 4 scans since certification. Most recent scan within 30 days of audit. Critical findings remediated within SLA. ☐ Security awareness training — 100% completion records for all in-scope staff, current policy version. ☐ Phishing simulations — at least 3 results since certification. Trend data showing improvement (or documented remediation plan if not). ☐ Incident log — active entries covering the full period since certification. No suspicious gap periods. ☐ Supplier monitoring records — all critical suppliers reviewed since certification. Most recent reviews within 12 months. ☐ Management review minutes — at least 1 since certification, all 8 Clause 9.3.2 inputs, decisions documented. |
| Corrective action closure |
☐ All Stage 2 NCs closed with evidence and CB confirmation received. ☐ All internal audit NCs from since certification: closed or have active resolution plan with target date. ☐ CAR register is current — no stale open items without documented status. ☐ Any NCs from previous surveillance audit (if Year 2 prep): closed with evidence. |
| ISMS documentation currency |
☐ IS Policy — current version, CEO signature, review date not lapsed. ☐ Risk register — updated since certification to reflect any organizational or regulatory changes. ☐ SoA — implementation status entries current, consistent with actual control deployment. ☐ All supporting policies — review dates current, no overdue reviews. ☐ Document register — matches actual documents in ISMS library. No phantom or missing entries. |
| Change documentation |
☐ All significant changes since certification documented: organizational, technology, regulatory. ☐ ISMS documentation updated for changes: risk register, SoA, scope statement, context analysis as applicable. ☐ Any new regulations affecting scope or controls reflected in policies and context analysis. ☐ New suppliers onboarded since certification: security review documented, DPA in place if personal data processed. |
| The 'constructed evidence' signal: Experienced surveillance auditors look for patterns that indicate evidence was constructed for the audit rather than collected as a byproduct of operations. Key signals: all quarterly access reviews completed in the same week, all management review minutes from the same date, vulnerability scans clustered in the month before the audit, phishing simulations with no results until the week before the audit. Evidence that tells a consistent story across 12 months — quarterly reviews at quarterly intervals, monthly monitoring records with monthly dates — signals genuine operational discipline. |
The Most Common Surveillance Audit Findings
The findings most frequently identified at first-cycle surveillance audits cluster around four patterns — each representing a form of post-certification ISMS discipline degradation:
Controls operational at certification, degraded by Year 1
The most common surveillance finding. MFA deployed for all accounts at Stage 2, but three new staff members onboarded since certification have no MFA. Quarterly access reviews conducted for Q1 and Q2 but missing for Q3. Vulnerability scanning run monthly before Stage 2 and quarterly since. These degradations are typically not deliberate — they reflect processes that were established for certification but not embedded as genuinely operational.
Prevention: Every control must have a defined owner and a calendar trigger. Controls that run on demand — at someone's initiative when they remember — will be the controls that degrade. Controls that run automatically on schedule, with notifications when they are overdue, are the controls that survive post-certification.
Management review conducted but not documented adequately
The management review occurred — attendees can confirm — but the minutes are sparse, do not cover all 8 Clause 9.3.2 inputs, or record discussion without decision language. The management review is confirmed as 'done' but the documented evidence does not satisfy Clause 9.3.
Prevention: Use the management review template from Article 2.7 for every review. Require the ISMS Manager to confirm all 8 inputs are covered before closing the meeting. Minutes should contain decisions, not summaries.
Risk register not updated for organizational changes
The organization launched two new products, migrated to a new cloud platform, and added 40 new staff since certification. The risk register reflects the organizational profile from Stage 2 eighteen months ago. Surveillance auditor probes: 'walk me through the significant changes since your last audit and show me how they are reflected in the risk register.'
Prevention: Risk register review is a standing item on the ISMS steering committee monthly agenda. Any significant change triggers a targeted risk assessment update. Do not wait for the annual risk assessment cycle.
Internal audit findings not driving genuine corrective action
Internal audit reports show findings, corrective actions are documented, CARs are marked closed — but the same finding types appear at surveillance. Root cause analysis was shallow. Corrective actions addressed symptoms. The corrective action program is producing paperwork, not improvement.
Prevention: Apply the three-layer corrective action structure from Article 4.4 — immediate remediation, systemic fix, ongoing detection — to every internal audit finding. Test effectiveness before closing CARs.
Recertification: How It Differs from Initial Certification
The recertification audit at Year 3 is a full re-audit. Unlike surveillance audits (which sample), recertification covers the entire ISMS scope. But it is not identical to the initial certification — auditors come with three years of context about the organization, previous audit history, and an expectation of ISMS maturity, not just ISMS existence.
| Dimension | Initial certification | Recertification |
| Audit scope | Full scope — designed to verify that the ISMS has been built correctly. | Full scope — designed to verify that the ISMS has continued operating effectively over three years. |
| Primary auditor focus | Does this ISMS meet ISO 27001 requirements? Is it adequately designed? Is it ready to operate? | Has this ISMS been consistently operating? Has it improved? How has it responded to changes in context, threats, and business? |
| Stage 1 documentation review | Detailed review of all ISMS documents — CB is seeing them for the first time. | Focused review of changes since last certification and updates to key documents. Auditor already knows the baseline from previous audits. |
| Stage 2 evidence testing | Auditor verifies that controls exist and are implemented — looking for evidence of initial deployment. | Auditor verifies that controls have been operating continuously — looking for a pattern of evidence over the full three-year period, not just recent activity. |
| Findings expected | Minor NCs typical — first-cycle implementations almost always have some gaps. Major NCs preventable with good preparation. | Fewer NCs expected if ISMS has been genuinely operated. Findings at recertification often relate to areas that degraded quietly during the cycle. |
| What most commonly fails | Missing management review, incomplete risk assessment, SoA justification gaps. | Controls that were implemented for initial certification and then degraded — quarterly reviews with gaps, documentation that drifted from operational reality, risk register not updated for organizational changes. |
| Typical audit duration | 2–5 days depending on scope complexity. | 2–4 days — slightly shorter than initial Stage 2 because the CB already knows the organization and its ISMS structure. |
| Pre-audit preparation | Full documentation package assembly, staff briefing, evidence library construction from scratch. | Evidence library update — filling gaps, refreshing stale records, ensuring the last 36 months tell a consistent story of operational discipline. |
| The maturity expectation at recertification: At initial certification, auditors verify the ISMS was built. At recertification, they verify it has been operating. The question shifts from 'does this control exist?' to 'has this control been consistently operating for three years?'. An organization that can demonstrate a consistent three-year pattern of quarterly access reviews, monthly vulnerability scans, annual risk assessments, and improving phishing simulation results will be significantly better positioned at recertification than one that can only demonstrate activity in the 6 months before the audit. |
The ISMS Maturity Progression Across Certification Cycles
Each recertification cycle represents an opportunity to genuinely mature the ISMS — not just maintain it. The maturity progression below describes what a well-managed ISMS looks like at each stage of its lifecycle, and what the growth focus should be for each cycle:
| Cycle | Theme | ISMS characteristics + growth focus | Typical audit findings |
| Cycle 1 (Year 0–3) | Foundation | ISMS is built from scratch and first certified. Controls are implemented to meet requirements. Management system infrastructure (governance, audit program, monitoring) is established. Some controls may be partially implemented at certification. Growth: Growth focus: closing implementation gaps, operationalizing controls, building evidence collection habits, improving management engagement. | Minor NCs in documentation completeness, process consistency, and evidence retention. Management review and internal audit quality improving but not yet fully mature. |
| Cycle 2 (Year 3–6) | Maturation | ISMS is embedded in organizational operations. Controls are fully deployed and consistently evidenced. Risk register reflects organizational changes and evolving threat landscape. Internal audit program producing meaningful findings that drive genuine improvement. Growth: Growth focus: improving control effectiveness (not just existence), advancing the internal audit program, integrating ISMS with business processes, extending scope to cover more of the organization. | Fewer NCs, more observations. Findings shift from 'not done' to 'could be done better'. Auditors test operational consistency and improvement trends. |
| Cycle 3+ (Year 6+) | Optimization | ISMS is a mature management system, integrated into how the organization operates. Threat intelligence feeds risk assessments proactively. Controls are automated where possible. ISMS improvement is continuous, not audit-driven. Growth: Growth focus: integration with ISO 22301 (BC), ISO 42001 (AI governance where applicable), advanced analytics for risk management, consideration of becoming an ISMS thought leader or training provider. | Mainly observations. Auditors recognize the organization as a mature ISMS operator. Positive findings (best practice recognition) become more frequent. |
The transition from Cycle 1 to Cycle 2 is the most significant. In Cycle 1, the ISMS is being built and established — it is an achievement to have it certified and operational. In Cycle 2, the question is whether it has genuinely become part of how the organization operates, or whether it remains a parallel compliance program that exists alongside rather than within normal business operations. The organizations that make this transition well are those that have integrated ISMS activities into business processes: security reviews in procurement, security gates in development, security onboarding in HR, risk owner responsibility in business management.
Recertification Preparation Timeline
Recertification preparation is most effectively approached as a 6-month structured program, not a sprint in the final weeks before expiry. The timeline below maps the preparation activities across the three months before expiry:
| Month 30–33 (6–3 months before expiry) |
|
| Month 33–35 (3–1 months before expiry) |
|
| Month 35–36 (Final weeks before audit) |
|
The most important single activity in recertification preparation is the full internal audit at Month 30–33. This audit should be as rigorous as the audit that would precede the initial certification — covering all clauses and all major Annex A domains. Findings from this audit should be addressed before the recertification audit begins. An organization that enters recertification with open internal audit findings signals that the corrective action process is not functioning effectively
| Bitlion recertification module: Bitlion's platform tracks the three-year certification cycle with automated milestone notifications — surveillance audit preparation reminders at 8 and 6 weeks before each audit, recertification preparation alerts starting 6 months before expiry, and document review date tracking across the full policy suite. The evidence readiness dashboard shows which controls have current evidence and which have stale or missing records — allowing organizations to address gaps progressively rather than discovering them in the final weeks before audit. |
The Long-Term Value of a Maintained Certificate
An ISO 27001 certificate that is actively maintained — through genuine ISMS operation, consistently passing surveillance audits, and maturing through recertification cycles — accumulates credibility over time that newly certified organizations cannot replicate.
Clients who have seen the certificate maintained through multiple surveillance cycles know that the certification is not a one-time documentation exercise — it reflects an organization that has been managing information security systematically for years. Regulators who have seen the certificate maintained understand that the management system is operational, not nominal. And within the organization itself, a multi-cycle certified ISMS represents genuine institutional investment in security management — the kind of investment that attracts security-conscious staff, reduces security incident frequency, and builds the culture that makes every subsequent certification cycle more natural than the last.
The certificate is renewed every three years. The ISMS is built for far longer.