ISO 27001 Surveillance Audits: What Your First Year of Maintenance Actually Involves

October 9, 2025

ISO 27001 certification is not a one-time achievement. It is the beginning of a three-year certification cycle that includes surveillance audits in years one and two and a recertification audit at the end of year three. Most of the guidance written about ISO 27001 focuses almost entirely on achieving initial certification. Very little covers what happens next, which leaves newly certified organisations underprepared for what surveillance audits actually examine.

The common assumption is that surveillance audits are lighter-touch reviews, essentially a check that nothing has fallen over since certification. That assumption leads to organisations that certified in good shape drifting out of conformance within 12 months because maintenance was deprioritised once the certificate was in hand. Surveillance auditors are specifically looking for evidence of ongoing operation, not just documentation of what was in place at certification.

What Surveillance Audits Cover

Surveillance audits are conducted at least once per year during the certification cycle. The certification body determines which clauses and control areas to sample, and they will rotate the focus across the cycle to ensure the full ISMS is reviewed before recertification. A surveillance audit typically covers the organisation's internal audit programme, management review outcomes, corrective actions from the previous audit, changes to the scope or risk environment, and a sample of operational controls.

The operational control sample is where surveillance audits catch organisations that have been coasting. An auditor who asks to see six months of access review records, a change log from the past quarter, or evidence that vulnerability scanning is occurring on schedule will find out quickly whether the ISMS is being maintained or managed as a documentation exercise. The same evidence that was relevant at certification must continue to be generated and retained throughout the cycle.

What the First Year of Maintenance Actually Involves

In the first 12 months following certification, the ISMS maintenance programme should include a scheduled internal audit covering the areas not sampled during the certification audit, a management review with documented inputs and outputs, ongoing risk register updates to reflect any changes in the threat environment or business operations, and corrective action follow-up on any nonconformities or observations raised at certification.

It also involves the ongoing operational work that the ISMS documentation commits the organisation to: regular access reviews, vulnerability scanning and patching in line with policy, supplier assessments for new third parties, security awareness training for new staff, and testing of incident response and business continuity procedures. These activities generate the evidence that surveillance auditors look for. If the evidence is not being generated continuously, it cannot be manufactured retrospectively in the weeks before a surveillance audit.

Changes That Require ISMS Updates

Organisations that grow, change products, or expand into new markets after certification often underestimate how much those changes affect the ISMS. Adding a new cloud service provider, entering a new jurisdiction, hiring significantly, or launching a new product line can all change the risk profile in ways that require the risk assessment and Statement of Applicability to be updated. Surveillance auditors will ask about changes since the previous audit and review whether the ISMS has been updated to reflect them.

The ISMS is a living system, not a static document set. A management review process that genuinely considers changes to the organisation's context, emerging risks, and ISMS performance is what keeps the system current. Organisations that treat the management review as a formality and simply re-sign last year's outputs are accumulating technical debt that tends to surface at the worst possible time, which is during a surveillance audit or a customer security assessment.

Preparing for Surveillance Without Scrambling

The most effective approach to surveillance audit readiness is to treat ISMS maintenance as a scheduled operational activity rather than an audit preparation exercise. That means:

  • Scheduling internal audit activities quarterly or half-yearly rather than as a single annual event
  • Maintaining a corrective action register that is reviewed at each management review
  • Keeping the risk register updated as the business changes, not only at annual review time
  • Retaining evidence of operational controls continuously, not gathering it in the month before the audit
  • Assigning ISMS maintenance responsibilities to named owners, not leaving them with the person who led the implementation programme

We support a number of clients through the post-certification phase of their ISO 27001 programmes, providing internal audit services, management review facilitation, and ongoing advisory to keep ISMS maintenance on track. Organisations that invest in structured maintenance find their surveillance audits predictable and their recertification audits straightforward.

To discuss ongoing ISO 27001 maintenance support, contact Cyberlinx at info@cyberlinx.com.au.

Table of Contents
Resource Type
Blogs
Category
GRC
Written by
Indra Gunawan
Head of Consulting
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?