The Short Answer Most Businesses Get Wrong
When business owners ask how often ISO certification audits are conducted, most expect a simple answer like “once a year.” The reality is more structured than that, and understanding the full audit cycle will save you from nasty surprises, missed deadlines, and unnecessary costs.
On this page
ISO certification audits follow a three-year cycle. Within that cycle, there are different types of audits at different points. If you are new to certification or are preparing to get certified, knowing what is coming and when will help you plan your resources, your documentation, and your team's time far more effectively.
This article breaks down the full audit schedule, explains what happens at each stage, and gives you practical guidance on how to stay prepared throughout the certification lifecycle. Whether you hold ISO 9001, ISO 14001, ISO 45001, ISO 27001, or any other management system standard, the audit frequency structure is largely the same.
The Three-Year Certification Cycle
ISO certification is not a one-time event. When a certification body grants you ISO certification, that certificate is valid for three years. But that does not mean you simply wait three years and then get audited again. The certification body visits you every year within that cycle. Here is how it works.
Year One: The Initial Certification Audit
The initial certification audit is what most people think of when they hear “ISO audit.” It is the audit that results in your certificate being issued. But even the initial certification process involves two separate stages.
Stage 1 Audit (Documentation Review)
The Stage 1 audit is typically conducted on-site or remotely and focuses on your documentation and readiness. The auditor reviews your management system documentation, checks that your scope is defined correctly, confirms that your key processes are documented, and assesses whether you are ready to proceed to Stage 2. If you want to know what to prepare for this stage, our article on 8 things to do before an ISO Stage 1 readiness audit covers this in detail.
Stage 2 Audit (Certification Audit)
The Stage 2 audit is the main event. This is where the auditor digs into your actual operations, interviews your team, reviews records, and assesses whether your management system is effectively implemented and conforming to the standard. Passing Stage 2 results in the recommendation for certification. We have also written a practical guide on 10 things to do before an ISO Stage 2 certification audit if you want to go into that audit well prepared.
The gap between Stage 1 and Stage 2 is typically a few weeks to a few months, depending on how many issues were identified in Stage 1 and how quickly your team can address them.
Year Two and Year Three: Surveillance Audits
Once you are certified, your certification body will conduct annual surveillance audits in years two and three of your three-year cycle. These are sometimes called “surveillance visits” and they are shorter than the initial certification audit.
The purpose of surveillance audits is to confirm that your management system is still being maintained and improved. The auditor is checking that you have not let things slip since certification, that you are conducting internal audits and management reviews, that you are closing out corrective actions, and that the system continues to meet the requirements of the standard.
Surveillance audits typically cover a portion of your management system rather than the full scope. The certification body will plan these audits to ensure that all elements of your system are covered across the full three-year cycle. In any given surveillance audit, you might expect the auditor to focus on a selection of clauses, any areas where non-conformities were raised previously, and any significant changes to your business.
A common question is whether surveillance audits are mandatory. Yes, they are. Missing a surveillance audit without a valid reason can result in your certification being suspended or withdrawn. This is not a technicality that certification bodies overlook.
Year Three: Recertification Audit
At the end of the three-year cycle, you undergo a recertification audit. This is a more thorough review than a surveillance audit and is intended to confirm that your management system continues to meet all requirements of the standard and that you deserve to have your certificate renewed for another three years.
The recertification audit is often conducted in a single stage rather than two stages (unlike the initial certification), but this depends on the certification body and the complexity of your organisation. It is more comprehensive than a surveillance audit but generally less involved than the original Stage 1 and Stage 2 process, assuming your system has been well maintained.
If you pass the recertification audit, your certificate is renewed and the three-year cycle begins again with two more surveillance audits to follow.
How Audit Duration Is Determined
The number of days required for each audit is not arbitrary. Certification bodies follow guidance from international accreditation standards, particularly ISO 17021-1, which sets out the requirements for bodies providing audit and certification of management systems. Audit duration is calculated based on factors including the size of your organisation (number of employees), the complexity of your processes, the number of sites included in your scope, the risk profile of your industry, and whether you hold multiple certifications being audited together.
For a small business with 10 to 20 employees seeking ISO 9001 certification, the Stage 2 audit might be one or two days. Surveillance audits for the same business might be half a day to one day. For a large manufacturing operation with multiple sites and hundreds of employees, the audit programme will be considerably more involved.
If you want to understand what drives audit duration in more detail, our article on what determines how many audit days you need for ISO 9001 explains the calculation in plain language.
Special Circumstances That Change the Audit Schedule
The standard three-year cycle with annual surveillance audits applies in most cases, but there are situations that can alter the schedule.
Unannounced Audits
Some certification bodies and accreditation bodies require or allow for unannounced audits. These are less common in Australia but do occur, particularly in high-risk industries or where there have been previous compliance concerns. If your certification agreement includes the possibility of unannounced visits, you need to be prepared to receive an auditor without advance notice. This is a strong argument for maintaining your management system year-round rather than doing a last-minute scramble before scheduled audits.
Extraordinary Audits
Extraordinary audits can be triggered by significant changes to your organisation. If you acquire a new business, open a new site, change your core processes substantially, or experience a serious incident, your certification body may require an extraordinary audit to confirm that your management system still covers the changed scope and remains effective. These are in addition to your regular surveillance schedule.
Short-Notice Audits Following Complaints
If a serious complaint is raised about your certified operations, whether by a customer, a regulator, or another party, the certification body may conduct a short-notice audit to investigate. This is relatively uncommon but it does happen, particularly in industries where ISO certification carries significant regulatory or contractual weight.
Suspension and Reinstatement
If your certification is suspended, for example because you failed to close out major non-conformities within the required timeframe or missed a surveillance audit, a reinstatement audit will be required before your certificate is restored. The timeline for this depends on the certification body's procedures and the nature of the suspension.
Internal Audits: The Ongoing Commitment You Cannot Skip
Separate from the external audits conducted by your certification body, the ISO standards themselves require you to conduct internal audits of your management system. This is a requirement under the standard, not optional.
Internal audits need to be conducted at planned intervals, which in practice means at least once per year for most businesses, though many organisations conduct them more frequently. The purpose is to verify that your management system conforms to your own requirements and to the requirements of the standard, and that it is effectively implemented and maintained.
Internal audits are not a box-ticking exercise. Done properly, they are one of the most valuable tools you have for identifying problems before your external auditor does. If you want to get more out of your internal audit process, our article on how to run ISO internal audits that actually find problems gives you a practical framework.
Many small businesses struggle with internal audits because they do not have a dedicated quality manager or compliance team. If this sounds familiar, the key is to train a competent person internally or engage an external consultant to facilitate the internal audit process. Either way, the records need to be there when your external auditor arrives.
Management Reviews: Another Regular Commitment
Alongside internal audits, the standards require management reviews to be conducted at planned intervals. This is a formal meeting where top management reviews the performance of the management system and makes decisions about improvements, resources, and objectives.
Most organisations conduct management reviews annually, though some do them more frequently. The outputs of management reviews feed into your continual improvement process and are reviewed by your external auditor as evidence that leadership is engaged with the system. Thin or poorly documented management reviews are a common finding in surveillance audits.
Practical Tips for Staying Audit-Ready Year Round
One of the biggest mistakes businesses make after achieving ISO certification is treating it as a project that is now finished. Certification is not the finish line. It is the beginning of an ongoing commitment. Here is how to stay on top of it without it consuming your operations.
Keep a Certification Calendar
Map out your full three-year cycle from the date of your initial certification. Mark your surveillance audit windows, your internal audit schedule, your management review dates, and your recertification date. Share this calendar with anyone who has a role in maintaining the system. Surprises are far more costly than preparation.
Close Out Non-Conformities Promptly
When your auditor raises a non-conformity, whether minor or major, you have a defined timeframe to address it. Minor non-conformities typically need to be closed within 90 days. Major non-conformities carry tighter deadlines and can put your certification at risk if not addressed. Do not leave these sitting in a spreadsheet. Assign ownership, set deadlines, and verify effectiveness. If you want to understand the formal process for challenging a finding you believe is incorrect, our article on what is the formal process for disputing an ISO audit finding is worth reading.
Maintain Your Documentation Continuously
One of the most common issues auditors find during surveillance visits is documentation that has not been updated to reflect changes in the business. If you have changed a process, updated a procedure, hired new staff into key roles, or changed your suppliers, your documentation needs to reflect that. A management system that does not match how you actually operate is a significant non-conformity waiting to happen.
Do Not Rely on Your Consultant to Run the System
Some businesses engage a consultant to help them achieve certification and then expect that same consultant to keep the system alive. This is a risk. The standard requires your organisation to own and operate the management system. If an auditor finds that your team cannot explain how the system works without calling the consultant, that is a problem. Consultants are valuable for gap analysis, audit preparation, and advice, but the system needs to be genuinely embedded in your operations.
What Happens If You Miss a Surveillance Audit?
Life happens. Businesses face disruptions, staff changes, and unexpected events. If you are approaching a surveillance audit date and you are not ready, or if circumstances make the scheduled date impossible, contact your certification body as early as possible. Most certification bodies have some flexibility in scheduling, particularly for genuine operational reasons.
However, there are limits. Accreditation requirements mean that certification bodies cannot simply defer surveillance audits indefinitely. If a surveillance audit is not conducted within the required window, the certification body is obliged to suspend the certificate. Suspension is recorded and visible, which can have real consequences if your clients or tender requirements depend on active certification status.
If your certificate is suspended, you will need to demonstrate that the issues have been resolved and undergo a reinstatement audit before the certificate is restored. In some cases, if the suspension continues beyond a certain point, the certificate may be withdrawn entirely, requiring you to start the process again.
Choosing a Certification Body That Communicates the Schedule Clearly
Not all certification bodies are equally good at keeping clients informed about their audit schedule, upcoming visits, and what to expect. Before you sign a certification agreement, ask the certification body to walk you through the full three-year audit programme, what each audit involves, how much notice you will receive, and what the costs look like across the cycle.
If you are comparing certification bodies or looking for one that fits your business, our article on 10 steps to select the best ISO certification body gives you a structured approach to making that decision.
If you are at the stage of getting quotes and comparing options, CertBetter makes this straightforward. You submit one form and receive up to three competing quotes from verified ISO certification bodies and consultants. It is free for businesses seeking certification, and it saves you the time of chasing providers individually. Given that audit costs and schedules vary significantly between providers, getting multiple quotes before you commit is simply good business sense.
