How to Prepare for an ISO 27001 Surveillance Audit

CertBetter

Team CertBetter

11 min read
How to Prepare for an ISO 27001 Surveillance Audit

What Is an ISO 27001 Surveillance Audit and Why Does It Matter?

You passed your initial ISO 27001 certification audit. Congratulations. But here is the thing most businesses do not fully appreciate until it is too late: your certificate is only valid if you keep passing the surveillance audits that follow. And those audits are not a formality.

An ISO 27001 surveillance audit is a periodic check conducted by your certification body to confirm that your Information Security Management System (ISMS) is still operating effectively. These audits typically happen once a year during your three-year certification cycle, with a full recertification audit at the end. Miss one, fail one, or show up unprepared, and your certificate can be suspended or withdrawn.

If you want a solid grounding in what ISO 27001 actually requires before diving into surveillance preparation, the ISO 27001 beginner's guide is a good starting point. This article, however, is specifically for businesses that are already certified and need to prepare for what comes next.

How Surveillance Audits Differ From Your Initial Certification Audit

Your Stage 1 and Stage 2 certification audits were comprehensive. The auditor reviewed your entire ISMS from top to bottom, checked your documentation, assessed your risk treatment plan, and evaluated whether your controls were implemented correctly. It was a deep dive.

Surveillance audits are different in scope but not in seriousness. The auditor will not re-examine every clause and control from scratch. Instead, they will focus on specific areas of your ISMS, including any nonconformances raised in previous audits, changes to your organisation or its context, and a rotating sample of Annex A controls. They will also look at whether your management system is alive and improving, or whether it has quietly gathered dust since your last audit.

The most common reason businesses fail surveillance audits is not that their security posture has collapsed. It is that their management system has stopped functioning as a real system and become a filing cabinet of documents nobody looks at. Auditors can spot this immediately.

What Auditors Actually Look at During an ISO 27001 Surveillance Audit

Corrective Actions From Previous Audits

This is always the first thing an auditor checks. If nonconformances were raised at your last audit or certification audit, you are expected to have investigated the root cause, implemented a corrective action, and verified that the action worked. If you have not closed these out with proper evidence, expect a major nonconformance on the spot.

Do not just close corrective actions on paper. Make sure the underlying issue has genuinely been resolved and that you have records to prove it. An auditor will ask to see the corrective action log, the evidence of implementation, and the effectiveness review.

Internal Audit Results

ISO 27001 requires you to conduct internal audits at planned intervals. Your surveillance auditor will want to see that internal audits have actually taken place since your last external audit, that they covered relevant areas of the ISMS, and that any findings were acted upon.

If you have not run a single internal audit in the past twelve months, this is a major gap. Internal audits are not optional. They are one of the core mechanisms by which your ISMS demonstrates it is being actively monitored and improved. If you need practical guidance on making internal audits genuinely useful rather than just a compliance exercise, read our article on how to run ISO internal audits that actually find problems.

Management Review

Your management review is the formal meeting where leadership reviews the performance of the ISMS. ISO 27001 requires this to happen at planned intervals. The auditor will ask to see the minutes, the agenda items covered, and the outputs such as decisions made and resources allocated.

A management review that consists of a five-minute chat with no documented outputs will not satisfy the auditor. The review needs to cover specific inputs including audit results, security incidents, risk treatment status, and performance metrics. It also needs to produce documented decisions about improvements and resource needs.

Risk Assessment and Risk Treatment

Your risk register is a living document. The auditor will check whether your risk assessment has been reviewed and updated since your last audit, particularly if there have been changes to your business, your IT environment, your suppliers, or the threat landscape.

If your risk register looks identical to what it did at certification with no updates, no new risks added, and no treatment status changes, that is a red flag. Risks change. Threats evolve. Your register needs to reflect that. For a practical explanation of how to manage this process without needing a dedicated security team, see our guide on ISO 27001 risk assessment for non-technical business owners.

Annex A Controls in Scope

The auditor will sample a selection of Annex A controls to verify they are implemented and operating effectively. They will not check all 93 controls in a single surveillance audit, but they will rotate through them across your certification cycle. Common areas of focus include access control, supplier relationships, incident management, and business continuity.

Be ready to demonstrate controls, not just describe them. If your access control policy says that access rights are reviewed quarterly, the auditor will ask to see the records of those reviews. Policy without evidence is not compliance.

Security Incidents and How You Handled Them

The auditor will ask whether any information security incidents have occurred since the last audit. This includes data breaches, phishing attacks, unauthorised access attempts, system outages, and similar events. They want to see that incidents were logged, investigated, and responded to appropriately.

Many businesses make the mistake of under-reporting incidents internally because they worry about how it looks. In reality, having a well-documented incident log with good response records looks far better to an auditor than claiming you had zero incidents. Zero incidents over twelve months is almost never credible and auditors know it.

How to Prepare for Your ISO 27001 Surveillance Audit: A Practical Checklist

Start Preparing at Least Eight Weeks Out

Do not leave surveillance audit preparation to the week before the auditor arrives. Eight weeks gives you enough time to identify gaps, gather evidence, close corrective actions, and run a final internal review without scrambling.

Book a pre-audit preparation meeting with your ISMS manager or whoever owns the system internally. Walk through each of the key audit focus areas and assign responsibility for gathering evidence. Treat it like a mini internal audit focused on audit readiness.

Review and Close All Open Corrective Actions

Pull up your corrective action register and go through every open item. For each one, confirm that the root cause was identified, the corrective action was implemented, and there is documented evidence of effectiveness. If any actions are still open, escalate them immediately and get them resolved before the audit date.

If a corrective action genuinely cannot be closed before the audit, be transparent with the auditor. Have a documented explanation of why it is still open, what progress has been made, and what the revised completion date is. Auditors respond far better to honest progress updates than to closed actions with no real evidence behind them.

Confirm Your Internal Audit Program Is Up to Date

Check your internal audit schedule and confirm that audits have been conducted as planned. Gather the audit reports, findings, and any resulting corrective actions. If you are behind on your internal audit schedule, prioritise getting at least one internal audit completed before the surveillance audit, focusing on the areas most likely to be reviewed.

Update Your Risk Register

Review your risk register and ask yourself honestly: does this reflect the current state of our business and the current threat environment? Have there been changes to your IT systems, staff, suppliers, or operations since the last audit? Have any new threats emerged that are relevant to your organisation?

Add new risks where appropriate, update the treatment status of existing risks, and document who reviewed the register and when. A dated, signed review record is the evidence the auditor needs.

Prepare Your Management Review Records

If your management review is due before the surveillance audit, schedule it and make sure it covers all the required inputs. Document the outputs clearly, including any decisions made about resources, improvements, or changes to the ISMS. If your management review has already been conducted, locate the minutes and make sure they are accessible and complete.

Check Your Annex A Control Evidence

Go through your Statement of Applicability and identify the controls that are most likely to be sampled based on your business context. For each control, ask whether you have current evidence that it is operating. This means dated records, not just policies.

Common gaps include access review records that have not been completed on schedule, supplier security assessments that are out of date, and training records that are incomplete. Address these before the audit.

Review Your Incident Log

Pull together your security incident log for the past twelve months. Make sure incidents are documented with dates, descriptions, response actions taken, and closure details. If incidents led to corrective actions or changes to controls, make sure those are documented as well.

Brief Your Team

Your auditor will speak to staff, not just the ISMS manager. Brief relevant team members on what to expect. They do not need to memorise the standard, but they should understand their role in the ISMS, be able to describe how they handle security-related tasks, and know where to find relevant procedures.

Staff who look blank when asked about information security responsibilities create doubt in an auditor's mind about whether the system is genuinely embedded in the organisation.

Common Mistakes That Cause Surveillance Audit Failures

After years of auditing and consulting, the same patterns come up again and again. Here are the most common ones to watch for.

  • Treating the ISMS as a certification project rather than a management system. Once the certificate arrives, some businesses stop actively managing the system. Surveillance audits expose this immediately.
  • Failing to update documentation after organisational changes. New staff, new systems, restructures, and new suppliers all have implications for your ISMS. If your documentation does not reflect the current state of your business, the auditor will notice.
  • Not conducting internal audits. This is a major nonconformance waiting to happen. Internal audits are a clause requirement, not a suggestion.
  • Leaving corrective actions open with no progress. Open corrective actions from a previous audit with no documented progress signal a system that is not functioning.
  • Policies that exist but are not followed. If your access control policy says reviews happen every six months but there are no records of any reviews, the policy is not being implemented. That is a nonconformance.

What Happens If You Fail a Surveillance Audit?

If the auditor raises a major nonconformance, your certificate will typically be placed under surveillance with a defined period to close the finding. If you fail to close it within the agreed timeframe, your certification body can suspend or withdraw your certificate.

A suspended certificate is a serious commercial problem. Clients and procurement teams check certificate validity, and a suspension will show up if they do. Understanding how often ISO certification audits are conducted and what the consequences of non-compliance look like is important context for any business managing an active certification.

The good news is that major nonconformances at surveillance audits are avoidable with proper preparation. Most businesses that fail do so because they have not been actively maintaining their system, not because their security controls are fundamentally broken.

The Role of Your ISO 27001 Consultant in Surveillance Preparation

If you worked with an ISO 27001 consultant to achieve initial certification, it is worth engaging them for a pre-surveillance review. A good consultant will conduct a gap analysis against the likely audit focus areas, review your evidence, and identify anything that needs to be addressed before the auditor arrives.

Not all consultants offer ongoing support after certification. If yours does not, or if you are looking for someone to help you maintain your ISMS between audits, it is worth finding a consultant who specialises in ISO 27001 maintenance rather than just implementation. Comparing ISO 27001 consultants before engaging one for ongoing support is a sensible step.

CertBetter connects businesses with verified ISO 27001 consultants and accredited certification bodies. If you need a consultant to help you prepare for your surveillance audit, or if you are looking for a new certification body, you can submit one form and receive up to three competing quotes from vetted providers at no cost to your business.

Get 3 ISO Quotes. 24 Hours Response

Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.

Trusted by 400+ businesses like yours

Frequently Asked Questions

The duration depends on the size of your organisation and the complexity of your ISMS, but most surveillance audits for small to medium businesses take one to two days on site. This is shorter than the initial certification audit because the auditor is not reviewing the entire system from scratch. Your certification body will confirm the planned audit duration in advance, and it is worth asking them which specific areas they intend to focus on so you can prepare accordingly.

Yes, in most cases you can request a rescheduling if there is a genuine reason, such as a major operational disruption or a key staff member being unavailable. However, surveillance audits must occur within the timeframes defined in your certification agreement. Delaying too long can put your certificate at risk. Contact your certification body as early as possible if you need to reschedule, and confirm the new date in writing.

You should have your corrective action register with closed actions and evidence, internal audit reports from the past twelve months, management review minutes, your current risk register with a dated review, your Statement of Applicability, Annex A control evidence such as access review records and training logs, and your security incident log. Organising these into a clear folder or document management system before the audit makes the process much smoother for both you and the auditor.

No. Surveillance audits sample a selection of Annex A controls rather than reviewing all 93 in a single visit. The auditor will rotate through different controls across your three-year certification cycle so that all areas are covered over time. However, you should be prepared for any control to be selected. The best approach is to maintain ongoing evidence for all applicable controls rather than trying to predict which ones will be reviewed.

A minor nonconformance is a single lapse or gap that does not indicate a systemic failure of your ISMS. You will typically be given a defined timeframe, often 90 days, to close it with documented evidence. A major nonconformance indicates a significant failure of the management system, such as no internal audits being conducted, no management review taking place, or corrective actions from the previous audit remaining unaddressed. Major nonconformances can result in your certificate being suspended if they are not resolved within the agreed timeframe.

ISO 27001 certification and Australian Notifiable Data Breach obligations under the Privacy Act are separate frameworks, but they complement each other significantly. Your ISMS should include incident detection and response processes that support your ability to identify and notify reportable breaches within the required timeframes. An auditor may review your incident management process and ask how it connects to your legal obligations. For a detailed explanation of this relationship, see our article on whether ISO 27001 certification helps with Australian Notifiable Data Breach obligations.

Dilawar Laghari

Hi! I am Dilawar Laghari, founder of CertBetter.

I created CertBetter to help anyone compare ISO certification providers for free.

How to Prepare for an ISO 27001 Surveillance Audit - CertBetter