Getting ISO 27001 certified is a significant achievement. But certification is not a one-time event — it is the beginning of a three-year certification cycle that includes annual surveillance audits and a full recertification audit at the end. Many organisations focus intensely on getting certified and then lose momentum, only to find themselves scrambling in the weeks before their first surveillance audit.

This guide explains exactly what a surveillance audit involves, what your auditor will be looking for, and how to stay audit-ready throughout the certification cycle without it becoming a burden.

What is a surveillance audit?

A surveillance audit is an annual check conducted by your certifying body to verify that your Information Security Management System is still operating effectively and that your organisation continues to meet the requirements of ISO 27001.

Unlike the initial certification audit, a surveillance audit does not cover every element of the standard. It is a targeted review designed to confirm that the ISMS is being maintained and improved, that any nonconformities from the previous audit have been addressed, and that there have been no significant changes that would affect your certification.

Surveillance audits are shorter than certification audits — typically one to two days depending on the size and scope of your ISMS — and less intensive. But they should not be treated as a formality. Auditors can and do raise nonconformities at surveillance audits, and a major nonconformity can put your certification at risk.

When does a surveillance audit happen?

ISO 27001 certification is valid for three years. During that period you will typically have two surveillance audits — one at around twelve months after certification and one at around twenty four months. At the end of the three year cycle you undergo a full recertification audit which reassesses your ISMS against all requirements of the standard.

The exact timing varies by certifying body. Some schedule surveillance audits on the anniversary of your certification date, others build in a window of a few weeks either side. Check your certification agreement for the specific schedule.

What does a surveillance audit cover?

While the scope of a surveillance audit is narrower than a full certification audit, there are certain areas that auditors will always review.

Internal audit results

Your auditor will want to see evidence that you have conducted at least one internal audit of the ISMS since your last external audit. This is a mandatory requirement of ISO 27001 and one of the first things auditors check. If you have not conducted an internal audit you will receive a nonconformity.

The auditor will review your internal audit records — the audit plan, the audit findings, and evidence that any nonconformities identified have been addressed. They are looking for a genuine audit that tested whether controls are working, not a paper exercise.

Management review

You must also have conducted at least one management review since your last external audit. This is the formal meeting where senior leadership reviews the performance of the ISMS, considers changes to the organisation and its context, and makes decisions about resources and improvements.

Your auditor will review the minutes of your management review and check that it covered the required agenda items — audit results, risk assessment updates, performance against objectives, and any significant changes to the business.

Risk assessment and risk register

Your risk register must be current. The auditor will check that you have reviewed and updated your risk assessment since the last audit and that the risk register reflects the current state of your organisation. New risks should have been identified and assessed. Existing risks should have been reviewed to check that the treatment measures are still appropriate.

If your organisation has undergone significant changes — new systems, new services, new suppliers, acquisitions, restructuring — and your risk register has not been updated to reflect those changes, this will be a finding.

Statement of applicability

Your Statement of Applicability should be reviewed and updated at least annually. The auditor will check that it remains accurate — that controls you have marked as implemented are genuinely in place, and that any changes to scope or context have been reflected in the document.

Objectives and performance measurement

ISO 27001 requires you to set information security objectives and measure your performance against them. Your auditor will review what objectives you set, how you measured them, and what you did with the results. Objectives that were set and never reviewed, or performance that was never measured, will attract scrutiny.

Sample of controls

The surveillance auditor will select a sample of Annex A controls to review in depth. They will not review all 93 controls — that is what the certification and recertification audits are for — but they will pick areas based on their knowledge of your ISMS, the findings from previous audits, and any changes to your organisation.

Common areas auditors focus on during surveillance audits include access controls, particularly how you manage joiners, movers, and leavers. Patch management and vulnerability management are frequently tested because they require consistent ongoing action rather than one-time implementation. Supplier management is increasingly scrutinised as supply chain risk has grown in prominence.

Previous nonconformities

Any nonconformities raised at your certification audit or previous surveillance audits must be closed before your surveillance audit. Your auditor will check the status of these and verify that the corrective actions taken have been effective. An unresolved nonconformity from a previous audit will be treated seriously.

Significant changes

Your auditor will ask whether there have been any significant changes to your organisation, your systems, or your operating environment since the last audit. Significant changes might include moving to cloud infrastructure, acquiring another business, launching a new product or service, changing key personnel, or experiencing a security incident.

If significant changes have occurred, the auditor will want to understand how they were managed within the ISMS — whether a change impact assessment was conducted, whether the risk register was updated, and whether any controls needed to be added or modified.

What auditors are really looking for

Beyond the specific checklist items, experienced auditors are assessing whether your ISMS is alive or whether it has become a set of documents that nobody looks at between external audits. The signs of a live ISMS are easy to spot — a risk register that has been updated during the year, internal audit findings that reflect genuine testing, management review minutes that show real discussion, corrective actions that were followed through.

The signs of a dormant ISMS are equally obvious — a risk register unchanged since certification, internal audit findings that are suspiciously clean, management review minutes that look like they were written in the week before the audit, and staff who cannot explain what the ISMS policies say.

Auditors are experienced professionals who have seen both. The organisations that sail through surveillance audits are those that treat the ISMS as a genuine management tool throughout the year, not as a compliance exercise that gets dusted off before each audit.

How to prepare for a surveillance audit

The best preparation for a surveillance audit is to maintain your ISMS properly throughout the year rather than preparing intensively in the weeks before. That said there are practical steps worth taking in the month before your audit.

Review your risk register and update it if anything has changed. Check that all planned risk treatment actions have been completed or have a documented reason for being deferred. Confirm that your internal audit has been conducted and that findings have been addressed. Review the minutes of your management review and check they cover all the required items. Pull together your evidence for the control areas most likely to be sampled — access control, patch management, supplier assessments.

Brief the people who will be interviewed. Auditors talk to staff, not just the ISMS owner. The people responsible for key control areas — IT, HR, finance, operations — should know what the relevant policies say and be able to describe how they work in practice.

Make sure any outstanding nonconformities from previous audits are closed, with documented corrective actions and evidence of effectiveness.

Staying audit-ready year round

The organisations that find surveillance audits least stressful are those that build ISMS maintenance into their regular operating rhythm rather than treating it as a separate annual project. This means reviewing and updating the risk register quarterly, collecting evidence as controls are operated rather than retrospectively, scheduling the internal audit and management review well in advance, and maintaining the ISMS documentation as the business changes.

Managing this on spreadsheets is possible when you have a small, simple ISMS. As your organisation grows, as you add more controls, more suppliers, and more systems, the administrative overhead of manual ISMS management grows with it.

SnapGRC is designed to keep you audit-ready throughout the year rather than just at audit time. The platform maintains your risk register, tracks control status, stores evidence against each control, manages supplier assessments, distributes policies for acknowledgement, and gives you a live view of your compliance posture at any point. When your surveillance auditor arrives, the evidence pack is already assembled. Book a free demo to see how it works, or explore our compliance knowledge base for more ISO 27001 guides.