ISO 27001 · Article

Preparing for your surveillance audit

Certification is not the finish line. ISO 27001 brings surveillance audits in the years that follow — and the teams that treat them as routine are the ones that kept their evidence warm.

An ISO 27001 certificate runs on a three-year cycle: a certification audit, then surveillance audits — typically annual — to confirm the ISMS is still operating, with recertification at the end. Surveillance audits are lighter than the first audit, but they are not optional and they are not a formality.

The organisations that find them painless are simply the ones whose ISMS kept running after the certificate arrived. The ones that scramble let it go quiet for eleven months.

What a surveillance audit is

It is a sampled check that your ISMS is alive: that you are managing risks, running your controls, handling incidents and improving. The auditor does not re-examine everything — they probe a selection and look for evidence of continuity.

”A surveillance audit tests whether your ISMS is a living system or a certificate on the wall.”

What auditors look at

  • Management reviews and internal audits actually happened.
  • Risk assessment and the Statement of Applicability are current.
  • Corrective actions from last time were closed.
  • Core controls — access, change, incident — show ongoing evidence.

Prepare without scrambling

Preparation should be confirmation, not creation. Check that the recurring activities — internal audit, management review, risk review — were done and recorded on schedule, and that any open actions are closed.

Common pitfall

Recreating a year of management reviews the week before. Auditors recognise back-dated evidence instantly. Cadence is the point — run the activities when they are due.

Keep evidence warm

The difference between a calm audit and a frantic one is whether evidence accrued continuously. When access reviews, logs and approvals are captured as they happen, the audit is a matter of pulling what already exists. A continuous evidence layer turns this into a non-event.

The day itself

Have your ISMS owner present, your documents indexed, and your evidence reachable in a click. Answer plainly, show the artefact, and treat findings as improvements rather than failures — continual improvement is itself a requirement of the standard.

Key takeaways

  • Surveillance audits confirm your ISMS keeps operating between certifications.
  • Auditors sample: management reviews, risk/SoA currency, closed actions, live controls.
  • Run recurring activities on cadence — never reconstruct them late.
  • Continuous evidence makes the audit a confirmation, not a scramble.

Want surveillance audits to be routine? Book a 30-minute demo.

This article is general guidance, not legal advice. Verify obligations and deadlines for your organisation with qualified counsel.

ISO 27001AuditISMS
Put it into practice

Make every audit
a routine one

Book a 30-minute demo and we will keep your ISMS evidence audit-ready between reviews.