Short answer: After initial ISO 27001 certification, the certification body runs a surveillance audit in year one and year two of the three year cycle. Each is lighter than the original Stage 2, samples part of the ISMS, and always checks the mandatory elements: internal audit, management review, corrective actions and changes. They confirm the system is still live and improving.
Certification is not the finish line. ISO 27001 runs on a three year cycle, and between the initial audit and the year three recertification are two surveillance audits. Teams that treat the certificate as a one off often meet the year one surveillance underprepared, because the ISMS went quiet the day the certificate arrived. This covers what surveillance audits check and how to stay ready.
What is an ISO 27001 surveillance audit?
A surveillance audit is a periodic check by your accredited certification body to confirm the ISMS you certified is still operating and continues to conform. It happens in years one and two of the three year cycle, after the initial Stage 1 and Stage 2 certification audit.
It is deliberately lighter than the certification audit. Rather than re examining every control, the auditor samples part of the ISMS, always including the mandatory management elements, and checks that the system has kept running between visits. The requirement is in ISO/IEC 17021-1, the standard certification bodies are accredited against, not in ISO 27001 itself. The logic is simple: certification proves the system worked once; surveillance proves it keeps working. A certificate stays valid across the three years only if the surveillance audits confirm the ISMS is alive, so they are the mechanism that keeps certification meaningful.
What do the ISO 27001 year 1 and year 2 surveillance audits cover?
Both cover a sample of the ISMS plus a fixed set of mandatory elements. The certification body spreads control coverage across the cycle, so year one and year two look at different parts, and between them plus recertification the whole system is covered.
| Always covered each surveillance | Sampled across the cycle |
|---|---|
| Internal audit results | A rotating selection of Annex A controls |
| Management review outputs | Parts of the ISMS not examined last visit |
| Corrective actions and prior findings | Evidence of control operation |
| Changes since the last audit | High risk or recently changed areas |
| Use of the certification mark and logo |
The mandatory elements appear every time because they are the pulse of the management system. If the internal audit did not run or the management review never happened, the ISMS has stopped, and no amount of control evidence covers that. Prior findings are checked for closure, which is why unresolved nonconformities carry forward and compound.
How do ISO 27001 surveillance audits differ from certification and recertification?
Scope and depth are the difference. The initial certification audit tests the whole ISMS across two stages. A surveillance audit samples part of it. The year three recertification audit is broader than surveillance, reassessing the whole system to renew the certificate, though usually lighter than the original Stage 2 because the system is established.
Audit effort scales with the number of people in your ISMS scope under ISO/IEC 27006-1, and surveillance audits are allocated fewer days than the initial or recertification audits. So the cadence across the cycle runs: a heavier initial certification, a lighter surveillance in year one, a lighter surveillance in year two, then a fuller recertification in year three that starts the next cycle. Each has a different purpose, and preparing for a surveillance audit as if it were a full recertification wastes effort, while treating recertification as just another surveillance under prepares you.
Can you fail an ISO 27001 surveillance audit?
Not in the pass or fail sense of the initial audit, but a surveillance audit can raise nonconformities you must correct, and a serious one can cost you the certificate. Most surveillance audits end in minor findings and corrective actions rather than loss of certification.
A minor nonconformity is a single lapse against a requirement otherwise met; you submit a corrective action plan and it is verified, often at the next visit. A major nonconformity, a requirement absent or broken down, is more serious: unresolved, it can lead the certification body to suspend or ultimately withdraw the certificate. The common trigger is an ISMS that stopped running, no internal audit, no management review, findings from last year still open. Keep the mandatory elements current and surveillance audits stay routine. Let them lapse and a surveillance audit is where it surfaces.
How do you prepare for an ISO 27001 surveillance audit?
Keep the system running, do not revive it. The single best preparation is an ISMS that operated all year: an internal audit completed, a management review held, prior findings closed, and the day to day records the controls generate kept current.
Ahead of the visit, confirm the mandatory elements are done and evidenced, check that changes since the last audit, new systems, new suppliers, scope changes, are reflected in the risk assessment and Statement of Applicability, and make sure prior nonconformities are demonstrably closed. The organisations that struggle are those that let the ISMS go dormant after certification and scramble the week before. A management system run continuously needs little special preparation, which is the point. The ISO 27001 guide covers the full certification and maintenance cycle, and the ISO 27001 readiness checklist is a practical reference ahead of any audit. Cybernion helps organisations maintain ISO 27001 between audits so surveillance stays uneventful.
Frequently asked questions
What is an ISO 27001 surveillance audit?
A surveillance audit is a lighter check the certification body runs in years one and two of the three year cycle, after initial certification, to confirm the ISMS is still operating and improving. It samples part of the system rather than auditing the whole thing.
How often are ISO 27001 surveillance audits?
Once a year, in years one and two of the three year cycle. Year three is a fuller recertification audit rather than a surveillance audit. So the pattern is certification, surveillance, surveillance, recertification.
Can you fail an ISO 27001 surveillance audit?
You can raise nonconformities that must be corrected, and a serious unresolved major nonconformity can lead to the certificate being suspended or withdrawn. Most surveillance audits result in minor findings and corrective actions rather than loss of certification.
What does an ISO 27001 surveillance audit cover?
A sample of the ISMS, always including the mandatory elements: internal audit, management review, corrective actions, use of the mark, and any changes since the last visit. It does not re examine every control every year; coverage is spread across the cycle.
How do you prepare for an ISO 27001 surveillance audit?
Keep the ISMS running between visits, complete your internal audit and management review, close prior findings, and have current records ready. The organisations that struggle are the ones that let the system go quiet after certification and revive it the week before.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- ISO/IEC 27001:2022, Information security management systems, iso.org, 2022
- ISO/IEC 17021-1:2015, Conformity assessment, requirements for bodies providing audit and certification of management systems, iso.org, 2015
- ISO/IEC 27006-1:2024, Requirements for bodies providing audit and certification of ISMS, iso.org, 2024
Last updated: 3 July, 2026