What Happens After You Get ISO 27001 Certified?

The Certificate Is Just the Beginning

Getting ISO 27001 certified is a genuine achievement. You have built an Information Security Management System, survived a two-stage audit, closed out your nonconformances, and finally received that certificate. It feels like the finish line.

It is not. It is the starting line for a three-year certification cycle that requires consistent effort, ongoing evidence, and regular audits. Many businesses are surprised to discover how much work is involved in maintaining ISO 27001 certification after the initial push to get certified.

This article walks you through exactly what happens after you get ISO 27001 certified, what your ongoing obligations are, and how to avoid the most common mistakes businesses make in the months and years following certification. Whether you are a technology company, a managed service provider, or a professional services firm, this practical guide will help you stay certified without burning out your team.

Understanding the Three-Year Certification Cycle

ISO 27001 certification operates on a three-year cycle. Your certification body will conduct three types of audits across that period, and understanding the rhythm of these audits is essential for planning your resources.

Year One: Surveillance Audit One

Approximately twelve months after your initial certification audit, your certification body will conduct the first surveillance audit. This is not a full recertification. It is a focused review of specific parts of your Information Security Management System to confirm that your system is still operating effectively and that you have maintained the improvements made during certification.

The auditor will typically focus on areas such as your internal audit programme, management review outcomes, corrective actions, and a selection of Annex A controls. They want to see evidence that your ISMS is alive and being actively managed, not sitting in a folder gathering dust.

Year Two: Surveillance Audit Two

The second surveillance audit follows a similar pattern to the first, usually around the twenty-four month mark. The auditor may look at different clauses and controls this time, covering areas not examined in the first surveillance. By this point, your certification body expects to see a maturing system with documented improvements, completed internal audits across all relevant areas, and evidence of continual improvement.

Year Three: Recertification Audit

At the end of the three-year cycle, your certification body conducts a full recertification audit. This is essentially a repeat of the original Stage 2 audit. The auditor will review your entire ISMS against all clauses of ISO 27001 and all applicable Annex A controls. If you pass, your certificate is renewed for another three years.

If you want a deeper look at what the initial audit process involves, our article on the ISO 27001 certification process step by step covers the full journey from gap analysis to certificate issuance.

What Your ISMS Must Do Every Year

The audit cycle is one thing. The ongoing operational requirements of your ISMS are another. Here is what you need to keep running consistently throughout the certification period.

Internal Audits

ISO 27001 requires you to conduct internal audits at planned intervals. In practice, this means you need a documented internal audit programme that covers all clauses of the standard and all applicable controls over the course of each year. You cannot audit the same two clauses every year and ignore the rest. The programme needs to be risk-based, and the audits need to be conducted by someone who is competent and independent of the area being audited.

Internal audits are one of the first things a surveillance auditor will ask to see. If your records show that internal audits were skipped or conducted by the same person who built the system, you are likely to receive a nonconformance. Our guide on how to run ISO internal audits that actually find problems is worth reading before you schedule your next internal audit cycle.

Management Review

At least once a year, senior leadership must conduct a formal management review of the ISMS. This is not a casual conversation in a meeting. It is a documented review that covers specific inputs required by the standard, including the status of previous actions, changes in the internal and external context, information security performance, risk treatment progress, and opportunities for improvement.

The outputs of the management review must include decisions and actions. If your management review records show no actions arising, an auditor will question whether the review was genuine. Leadership engagement is one of the areas where many businesses fall short after certification, particularly once the initial pressure of getting certified has passed.

Risk Assessment and Risk Treatment

Your risk register is not a document you create once and file away. ISO 27001 requires you to conduct risk assessments at planned intervals and whenever significant changes occur. If your business adds a new cloud service, acquires another company, changes its workforce structure, or experiences a security incident, you need to revisit your risk assessment.

The risk treatment plan must also be kept current. Controls that were planned but not yet implemented need to be tracked to completion, and new risks need to be treated in a timely way. If you are new to this process, our ISO 27001 risk assessment guide for non-technical business owners explains the process in plain English.

Corrective Actions

Any nonconformances raised during internal audits, surveillance audits, or as a result of security incidents must be addressed through a formal corrective action process. This means identifying the root cause, implementing a fix, and verifying that the fix has worked. Records of corrective actions are reviewed during every surveillance and recertification audit.

One of the most common findings during surveillance audits is that corrective actions from the previous audit were not properly closed out. Set up a simple tracking system and assign an owner and a due date to every corrective action. Review the status monthly.

Statement of Applicability

Your Statement of Applicability, which documents which of the 93 controls in Annex A apply to your organisation and why, needs to be kept current. If your business changes in a way that makes a previously excluded control relevant, or if a new control becomes necessary due to a new risk, your SoA must be updated. Auditors check the SoA carefully, and an outdated document is a red flag.

Handling Security Incidents Under a Certified ISMS

One area that catches businesses off guard is what happens when a security incident occurs after certification. ISO 27001 does not prevent incidents. What it requires is that you have a documented process for detecting, responding to, and learning from them.

When an incident occurs, you need to follow your incident response procedure, document the event, assess its impact on your ISMS, and determine whether it represents a nonconformance that requires a corrective action. If the incident involved a data breach, you also need to consider your obligations under the Australian Privacy Act and the Notifiable Data Breaches scheme.

Our article on whether ISO 27001 certification helps with Australian notifiable data breach obligations explains the relationship between your ISMS and your legal obligations in more detail.

The key point is that having an incident does not automatically put your certification at risk. What puts your certification at risk is having an incident and having no documented response, no root cause analysis, and no corrective action. Auditors understand that incidents happen. They expect to see evidence that you managed them properly.

Common Mistakes Businesses Make After Certification

Having worked with many businesses through the certification process and beyond, there are patterns that come up repeatedly in the post-certification period.

Treating the ISMS as a Project Rather Than a System

Many businesses approach ISO 27001 as a project with a defined end date. Once the certificate arrives, the project team disbands and the system is handed to someone who was not involved in building it. Without ongoing ownership and resources, the system gradually drifts out of conformance. By the time the first surveillance audit arrives, there are gaps in internal audit records, outdated policies, and management reviews that never happened.

The fix is straightforward: assign a named ISMS owner with clear responsibilities, allocate time in their schedule for ongoing maintenance, and include ISMS activities in your business planning cycle.

Letting Policies Go Stale

ISO 27001 requires your information security policies to be reviewed at planned intervals. Many businesses set a review cycle of twelve months but never actually conduct the review. Policies that reference outdated systems, old job titles, or superseded legislation are a common audit finding.

Put policy reviews in your calendar at the start of each year. Even if nothing needs to change, document that the review was conducted and that the policy remains appropriate.

Ignoring Supplier and Third-Party Controls

Annex A includes controls related to supplier relationships and the security of information shared with third parties. After certification, businesses often forget to apply these controls consistently when onboarding new suppliers or when existing supplier relationships change. A new software vendor, a new cloud platform, or a change in outsourcing arrangements can introduce new risks that need to be assessed and treated.

Skipping Training and Awareness

ISO 27001 requires staff to be aware of the information security policy, their contribution to the effectiveness of the ISMS, and the implications of not conforming with requirements. This is not a once-off induction topic. It needs to be reinforced regularly, particularly when new staff join or when significant changes occur in the threat landscape.

Phishing simulations, short refresher sessions, and updates on new threats are all practical ways to demonstrate ongoing awareness activities. Keep records of what was delivered and who attended.

Using Your ISO 27001 Certificate Commercially

One of the most tangible benefits of ISO 27001 certification is the commercial value it provides. Clients, particularly enterprise clients and government agencies, increasingly require their suppliers to hold ISO 27001 certification as a condition of doing business.

There are rules around how you can use your certification mark. Your certification body will provide guidance on the correct use of their mark, and the ISO name and logo usage guidelines make clear that you cannot imply that ISO itself has endorsed or approved your organisation. You can state that you are certified to ISO 27001 by a named accredited certification body, and you can display the certification mark in accordance with your certification body's licence conditions.

If you are a SaaS company or technology provider, our article on how ISO 27001 certification helps SaaS companies close deals faster explores the commercial advantages in more detail.

What Happens If You Fail a Surveillance Audit

It is more common than most businesses realise. A surveillance audit raises major nonconformances, and the business is given a defined period to address them before the certification body makes a decision about whether to maintain, suspend, or withdraw certification.

A major nonconformance means a significant failure in your ISMS. This could be a complete absence of internal audits, no evidence of management review, or a fundamental gap in a critical control. Minor nonconformances are more common and are typically resolved within ninety days without threatening the certificate.

If your certificate is suspended, you must address the nonconformances and provide evidence of correction before the suspension is lifted. If the nonconformances are not resolved within the suspension period, the certification body may withdraw your certificate entirely. This is a serious commercial and reputational consequence, particularly if clients or tender requirements depend on your certification status.

The best way to avoid this outcome is to treat your surveillance audit preparation the same way you treated your initial certification audit. Conduct a thorough internal audit in the months before the surveillance visit, review your corrective action register, and ensure your management review is current.

Planning for Recertification

The recertification audit at the end of year three is a full audit. Do not underestimate it. Many businesses are caught off guard because they have maintained their system adequately through the two surveillance audits but have not kept up with the full scope of requirements.

In the six months before recertification, conduct a comprehensive internal audit that covers all clauses and all applicable controls. Review your Statement of Applicability for currency. Confirm that all corrective actions from the previous three years have been closed. Run a management review that specifically looks at the performance of the ISMS over the full certification period.

You should also consider whether the scope of your certification still accurately reflects your business. If your organisation has grown, changed its services, or taken on new systems since the original certification, the scope may need to be updated before recertification. This is also a good time to review whether your certification body is still the right fit for your business. Our guide on how to select the best ISO certification body can help if you are considering a change.

Getting the Right Support

Many businesses find that the ongoing maintenance of ISO 27001 is manageable once the system is bedded in, but the initial post-certification period can be challenging. If your internal team lacks the expertise or bandwidth to maintain the ISMS effectively, engaging an experienced ISO 27001 consultant on a retainer or part-time basis is a practical option.

The challenge is finding a consultant who has genuine ISO 27001 expertise and experience with ongoing ISMS maintenance, not just implementation. The market has no shortage of consultants who can help you get certified but have limited experience supporting businesses through surveillance and recertification cycles.

If you are looking for verified ISO 27001 consultants or accredited certification bodies, CertBetter makes the process straightforward. You submit one form and receive up to three competing quotes from vetted providers. The service is free for businesses, and every provider on the platform has been reviewed for credentials and experience. It is a practical way to compare your options without spending weeks making phone calls and chasing quotes.