An ISO 27001 certificate runs on a three-year cycle: a certification audit, then surveillance audits — typically annual — to confirm the ISMS is still operating, with recertification at the end. Surveillance audits are lighter than the first audit, but they are not optional and they are not a formality.
The organisations that find them painless are simply the ones whose ISMS kept running after the certificate arrived. The ones that scramble let it go quiet for eleven months.
What a surveillance audit is
It is a sampled check that your ISMS is alive: that you are managing risks, running your controls, handling incidents and improving. The auditor does not re-examine everything — they probe a selection and look for evidence of continuity.
What auditors look at
- Management reviews and internal audits actually happened.
- Risk assessment and the Statement of Applicability are current.
- Corrective actions from last time were closed.
- Core controls — access, change, incident — show ongoing evidence.
Prepare without scrambling
Preparation should be confirmation, not creation. Check that the recurring activities — internal audit, management review, risk review — were done and recorded on schedule, and that any open actions are closed.
Recreating a year of management reviews the week before. Auditors recognise back-dated evidence instantly. Cadence is the point — run the activities when they are due.
Keep evidence warm
The difference between a calm audit and a frantic one is whether evidence accrued continuously. When access reviews, logs and approvals are captured as they happen, the audit is a matter of pulling what already exists. A continuous evidence layer turns this into a non-event.
The day itself
Have your ISMS owner present, your documents indexed, and your evidence reachable in a click. Answer plainly, show the artefact, and treat findings as improvements rather than failures — continual improvement is itself a requirement of the standard.
Key takeaways
- Surveillance audits confirm your ISMS keeps operating between certifications.
- Auditors sample: management reviews, risk/SoA currency, closed actions, live controls.
- Run recurring activities on cadence — never reconstruct them late.
- Continuous evidence makes the audit a confirmation, not a scramble.
Want surveillance audits to be routine? Book a 30-minute demo.
This article is general guidance, not legal advice. Verify obligations and deadlines for your organisation with qualified counsel.