Surveillance Audits — Maintaining Your Certification
What Surveillance Audits Really Are
Your ISO 27001 certificate lasts three years, but certification bodies don't just hand you a certificate and walk away. They come back to check on you—twice. These visits are called surveillance audits, and they happen at 12 and 24 months after your initial certification.
Think of surveillance audits as progress reports. Your certification body wants to see that you're still running an actual Information Security Management System (ISMS)—the ongoing processes and controls that protect your business information—not just dusting off binders once a year.
These audits are smaller than your initial certification audit (typically 1-3 days instead of a week), but they're not easier. They're designed to catch companies that celebrated getting certified, then let everything slide back to the old ways of working.
Why These Audits Matter for Your Business
Skip a surveillance audit, and your certificate gets suspended. Your customers lose confidence, contracts get put on hold, and you lose the competitive advantage that drove you to get certified in the first place.
But there's a bigger reason to care: surveillance audits force you to keep improving your security. The companies that fail these audits are the same ones that experience data breaches, lose customer trust, and face regulatory fines. The companies that pass are building genuine resilience into their operations.
What Auditors Always Check
Every surveillance audit covers the same core areas. Your auditor will examine:
- Internal audits and management reviews—the regular health checks your leadership team conducts on your security system
- How you've fixed previous problems—auditors want evidence that you actually resolved issues they found before
- Customer complaints about security—and how you've responded to them
- Whether your security objectives are being met—the specific goals you set for protecting information
- Ongoing control of your operations—proof that security is part of daily business, not an annual exercise
- Changes to your business or systems—and how you've managed security through those changes
Beyond these mandatory areas, auditors rotate through different parts of your ISMS over the three-year cycle. One year they might focus on access controls and employee training. The next year, they'll look at incident response and business continuity.
The Most Common Failures (And How to Avoid Them)
Internal Audits That Exist Only on Paper
This is the number one reason companies fail surveillance audits. You need an internal audit program—regular checks where someone in your organization examines how well your security controls are working.
The failure pattern is predictable: companies create an audit schedule, then either don't execute it or go through the motions without actually examining anything. A one-page checklist with everything marked "compliant" isn't an audit—it's wishful thinking.
Your internal audits need to show real examination, documented findings (including problems you discover), and evidence that findings led to improvements. If your internal audits never find anything wrong, that's not success—that's a red flag.
Management Reviews That Are Pure Theater
Your leadership team needs to regularly review how your ISMS is performing. This isn't optional—it's a requirement. Yet many companies either skip management reviews entirely or hold superficial meetings that couldn't possibly inform real decisions.
One manufacturing company I know of had management review minutes that were identical across three consecutive quarters—word for word. When the auditor asked about specific security metrics and decisions, nobody could explain what had actually been discussed.
Real management review means your executives examining security performance data, discussing resource needs, and making decisions about priorities and investments. If your management review doesn't result in actual management decisions, you're doing it wrong.
Treating Corrective Actions Like Homework
When auditors find problems, you have to fix them. But many companies approach corrective actions like reluctant students doing homework—they do the minimum required to close the item, without addressing the underlying issue.
An effective corrective action doesn't just fix the immediate problem. It prevents similar problems from happening again. If the same types of issues keep appearing in successive audits, auditors will question whether you're really managing your ISMS or just playing compliance games.
How to Succeed at Surveillance Audits
The companies that consistently pass surveillance audits share common characteristics. They treat their ISMS as a business tool, not a compliance burden.
Make Internal Audits Useful
Conduct internal audits that actually help your business. Train your internal auditors properly, give them time to do real examinations, and act on their findings. Internal audits should be finding issues before external auditors do—that's the point.
Use Management Reviews for Real Management
Schedule management reviews when you can make actual decisions. Bring real performance data. Discuss what's working, what isn't, and what resources you need. Document decisions and follow through on them.
Keep Your ISMS Current
Update your risk assessments when your business changes. Revise procedures when processes evolve. Train new employees. Monitor security metrics regularly, not just before audits.
The goal isn't to impress auditors—it's to protect your business information and maintain customer confidence. Companies that focus on genuine security improvement find that surveillance audits become routine validation of work they're already doing.
Planning for Your Next Surveillance Audit
Start preparing for your surveillance audit the day after your last one ends. Track your internal audit findings, document management review decisions, and monitor progress on corrective actions.
When the audit notification arrives, review what areas haven't been covered recently—those are likely candidates for examination. Gather evidence of ongoing ISMS operation and be ready to demonstrate real improvement since the last visit.
Remember: surveillance audits aren't designed to trick you or find hidden problems. They're checking whether you're maintaining the system that earned your certification in the first place. If you are, the audit confirms it. If you aren't, the audit helps you get back on track.
Have questions? Ask the IX ISO 27001 Info Hub
Need personalized guidance? Reach our team at ix@isegrim-x.com.
