Information Security

ISO 27001 Surveillance Audit: Prep Guide & Checklist

Standarity Editorial Team·ISO 27001 Lead Auditors
··8 min read

An ISO 27001 surveillance audit is a periodic, lighter-touch review carried out by your certification body between the initial certification audit and the three-year recertification audit, designed to confirm that your Information Security Management System (ISMS) is still operating and continually improving. Rather than re-examining every requirement, the auditor samples parts of the system and looks hardest at the evidence that the ISMS is a living discipline rather than a one-off effort to pass a certificate. Getting ready for it is far less daunting once you understand where it sits in the certification cycle and exactly what an auditor will want to see.

What is a surveillance audit and where does it sit in the cycle?

An ISO 27001 certificate is valid for three years from the date of issue, and that three-year window shapes the whole audit rhythm. You earn the certificate by passing a two-part initial audit: a Stage 1 documentation review that checks your ISMS is designed and ready, followed by a Stage 2 audit that tests whether the system works in practice. Once certified, you do not simply wait three years for the next visit. Instead, the certification body returns for surveillance audits to confirm nothing has quietly decayed in the meantime.

Surveillance audits are typically annual, with at least one visit in year one and one in year two, before a more comprehensive recertification audit in year three renews the certificate for a further cycle. They are deliberately narrower in scope than the Stage 2 audit, because their job is to sample and reassure rather than to re-audit everything from scratch. In our experience the mindset shift matters: the auditor is no longer asking whether you can build an ISMS, but whether you are actually running one.

An ISO 27001 certificate is valid for three years, during which mandatory surveillance audits (usually one in year one and one in year two) confirm the ISMS remains effective, followed by a recertification audit in year three that is broadly similar in depth to the original Stage 2 audit (Iseoblue, 2026).

What auditors check in a surveillance audit

Because a surveillance audit is sampled rather than exhaustive, understanding the auditor's priorities is the key to preparing efficiently. Certain areas are examined at every surveillance visit regardless of what else is sampled, because they are the clearest signals of whether the management system is genuinely operating. Expect the auditor to focus on the following.

  • Closure of nonconformities raised at previous audits, with evidence that corrective actions were effective and not just cosmetic.
  • The internal audit programme and its results, confirming audits actually ran to plan and surfaced real issues.
  • Management review records, showing leadership reviewed the ISMS and made decisions on resources, risks, and improvement.
  • The corrective action and continual improvement process, including how issues are logged, investigated, and resolved.
  • Handling of security incidents and complaints, and whether lessons fed back into controls.
  • Updates to the risk assessment and risk treatment plan, especially where the business, threats, or scope have changed.
  • A rotating sample of Annex A controls from the Statement of Applicability, so the full control set is examined across the three-year cycle.
  • Any changes to scope, organisational structure, key personnel, or the risk profile since the last visit.

The common thread is continual improvement. Auditors look hardest at the management system rather than the individual technical controls, because a lapsed management system is the surest sign that certification was a one-time push. Our guide to auditing ISO 27001:2022 controls unpacks how sampling works control by control, and our companion piece on running a management review that drives improvement explains how to turn that mandatory meeting into evidence an auditor will respect rather than a box-ticking formality.

Major versus minor nonconformities

When an auditor finds a gap between what the standard requires and what you are doing, they raise a nonconformity, and the category they assign determines how much pressure you are under to fix it. Understanding the difference helps you triage findings calmly rather than treating every observation as a crisis.

A major nonconformity represents a systemic failure or a gap that undermines a core requirement of the standard, such as a missing internal audit programme or a management review that never happened. At a surveillance audit, majors must be remediated before the certificate can be maintained. Typically you have up to three months to implement corrective action and submit evidence, and failure to do so can lead to suspension or withdrawal of the certificate. A minor nonconformity, by contrast, is an isolated lapse that does not signal a broader breakdown, such as a single missing record or an overdue review. For minors, the auditor agrees a corrective action plan with you, and depending on severity they may be closed through follow-up evidence, at the next surveillance audit, or occasionally via an additional visit.

Major nonconformities at surveillance must be corrected before certification can continue, usually within around three months, or the certificate risks suspension or withdrawal; minor nonconformities are managed through an agreed corrective action plan, but several unresolved minors can be escalated to a major (Iseoblue, 2026).

How you respond matters as much as the finding itself. A well-written corrective action gets to the root cause rather than patching the symptom, and our guide to writing audit findings that drive action shows how to frame both the finding and the response so it closes cleanly and does not resurface at the next visit.

How to prepare: a surveillance audit checklist

Preparation is mostly a matter of assembling evidence the ISMS has been running all year, not a last-minute scramble. Working through the following steps in the weeks before the visit puts you in a strong position.

  • 1. Re-read the report from your last audit and confirm every prior nonconformity is closed with documented, effective corrective action.
  • 2. Verify your internal audit programme has run on schedule and that the results, findings, and follow-ups are recorded.
  • 3. Confirm at least one management review has taken place, with minutes covering risks, resources, objectives, and improvement decisions.
  • 4. Review and update your risk assessment and risk treatment plan to reflect any new threats, systems, suppliers, or scope changes.
  • 5. Check the Statement of Applicability still matches reality, and be ready to show evidence for the controls most likely to be sampled.
  • 6. Gather records of security incidents, complaints, and how each was handled and closed.
  • 7. Confirm mandatory activities such as access reviews, backups, awareness training, and supplier reviews were performed and logged.
  • 8. Notify the certification body of any significant changes to scope, structure, or key personnel ahead of the visit.
  • 9. Brief the control owners who will meet the auditor so they can speak confidently to their own evidence.

The Statement of Applicability is worth singling out, because it is the auditor's map into your control set and the anchor for the year-on-year sampling. Our deep dive on Statement of Applicability mastery explains how to keep it accurate and defensible so that sampled controls line up with the evidence you can actually produce.

Common findings to avoid

Most surveillance findings are not exotic technical failures. They are predictable lapses in the management system that a little discipline throughout the year would prevent. The recurring culprits are worth guarding against specifically.

  • An internal audit programme that was planned but never fully executed, or executed too close to the surveillance visit to be credible.
  • Management reviews that were skipped, undocumented, or missing required inputs such as risk and objective status.
  • Prior nonconformities marked closed without evidence that the corrective action actually worked.
  • A risk assessment and treatment plan that were never revisited despite obvious changes in the business or threat landscape.
  • A Statement of Applicability that no longer reflects the controls in operation.
  • Missing routine records, such as access reviews, training logs, or supplier assessments, that should have been generated as the ISMS ran.

Every one of these points back to the same principle: an ISMS earns its certificate by operating continuously, not by performing on audit day. Treat surveillance audits as an annual health check that keeps the system honest, spread the evidence-gathering across the year, and the visit becomes a confirmation of good practice rather than a source of anxiety. Do that consistently, and the year-three recertification audit, comprehensive as it is, becomes far less daunting because the underlying discipline is already there.

Frequently Asked Questions

What is an ISO 27001 surveillance audit?

It is a periodic review carried out by your certification body between the initial certification audit and the three-year recertification audit. It confirms your ISMS is still operating effectively and continually improving. Unlike the initial Stage 2 audit, it is lighter-touch and samples parts of the system rather than examining every requirement.

How often do ISO 27001 surveillance audits happen?

Surveillance audits are typically annual. Within the three-year certificate cycle you can usually expect at least one surveillance visit in year one and one in year two, followed by a fuller recertification audit in year three to renew the certificate for another cycle.

What do auditors check in a surveillance audit?

Auditors focus on evidence the ISMS keeps operating: closure of previous nonconformities, the internal audit programme, management review records, the corrective action and continual improvement process, incident handling, and updates to the risk assessment. They also sample a rotating subset of Annex A controls from your Statement of Applicability.

What is the difference between a major and minor nonconformity?

A major nonconformity is a systemic failure or a gap that undermines a core requirement, and it must be corrected before certification continues, usually within around three months, or the certificate risks suspension. A minor nonconformity is an isolated lapse, such as a missing record, and is managed through an agreed corrective action plan. Several unresolved minors can be escalated to a major.

What happens if you fail a surveillance audit?

Failing usually means one or more major nonconformities were raised and not remediated in time. You typically have around three months to implement corrective action and provide evidence. If the majors are not resolved, the certification body can suspend or withdraw your certificate, which means you lose your certified status until the issues are fixed.

How is a surveillance audit different from recertification?

A surveillance audit is a sampled, lighter review conducted in years one and two to confirm the ISMS is still working. The recertification audit in year three is far more comprehensive, similar in depth to the original Stage 2 audit, and it renews the certificate for a new three-year cycle rather than simply maintaining the existing one.

Explore Courses on Udemy

Intermediate

ISO 27001 Certification Process — A Step-by-Step Guide

Intermediate

ISO 27001: Preparing for Surveillance Audits — Step by Step

Intermediate

ISO 27001:2022 Internal Audit Step by Step