An ISO 27001 surveillance audit is a periodic, lighter-touch review carried out by your certification body between the initial certification audit and the three-year recertification audit, designed to confirm that your Information Security Management System (ISMS) is still operating and continually improving. Rather than re-examining every requirement, the auditor samples parts of the system and looks hardest at the evidence that the ISMS is a living discipline rather than a one-off effort to pass a certificate. Getting ready for it is far less daunting once you understand where it sits in the certification cycle and exactly what an auditor will want to see.
What is a surveillance audit and where does it sit in the cycle?
An ISO 27001 certificate is valid for three years from the date of issue, and that three-year window shapes the whole audit rhythm. You earn the certificate by passing a two-part initial audit: a Stage 1 documentation review that checks your ISMS is designed and ready, followed by a Stage 2 audit that tests whether the system works in practice. Once certified, you do not simply wait three years for the next visit. Instead, the certification body returns for surveillance audits to confirm nothing has quietly decayed in the meantime.
Surveillance audits are typically annual, with at least one visit in year one and one in year two, before a more comprehensive recertification audit in year three renews the certificate for a further cycle. They are deliberately narrower in scope than the Stage 2 audit, because their job is to sample and reassure rather than to re-audit everything from scratch. In our experience the mindset shift matters: the auditor is no longer asking whether you can build an ISMS, but whether you are actually running one.
An ISO 27001 certificate is valid for three years, during which mandatory surveillance audits (usually one in year one and one in year two) confirm the ISMS remains effective, followed by a recertification audit in year three that is broadly similar in depth to the original Stage 2 audit (Iseoblue, 2026).
What auditors check in a surveillance audit
Because a surveillance audit is sampled rather than exhaustive, understanding the auditor's priorities is the key to preparing efficiently. Certain areas are examined at every surveillance visit regardless of what else is sampled, because they are the clearest signals of whether the management system is genuinely operating. Expect the auditor to focus on the following.
- Closure of nonconformities raised at previous audits, with evidence that corrective actions were effective and not just cosmetic.
- The internal audit programme and its results, confirming audits actually ran to plan and surfaced real issues.
- Management review records, showing leadership reviewed the ISMS and made decisions on resources, risks, and improvement.
- The corrective action and continual improvement process, including how issues are logged, investigated, and resolved.
- Handling of security incidents and complaints, and whether lessons fed back into controls.
- Updates to the risk assessment and risk treatment plan, especially where the business, threats, or scope have changed.
- A rotating sample of Annex A controls from the Statement of Applicability, so the full control set is examined across the three-year cycle.
- Any changes to scope, organisational structure, key personnel, or the risk profile since the last visit.
The common thread is continual improvement. Auditors look hardest at the management system rather than the individual technical controls, because a lapsed management system is the surest sign that certification was a one-time push. Our guide to auditing ISO 27001:2022 controls unpacks how sampling works control by control, and our companion piece on running a management review that drives improvement explains how to turn that mandatory meeting into evidence an auditor will respect rather than a box-ticking formality.
Major versus minor nonconformities
When an auditor finds a gap between what the standard requires and what you are doing, they raise a nonconformity, and the category they assign determines how much pressure you are under to fix it. Understanding the difference helps you triage findings calmly rather than treating every observation as a crisis.
A major nonconformity represents a systemic failure or a gap that undermines a core requirement of the standard, such as a missing internal audit programme or a management review that never happened. At a surveillance audit, majors must be remediated before the certificate can be maintained. Typically you have up to three months to implement corrective action and submit evidence, and failure to do so can lead to suspension or withdrawal of the certificate. A minor nonconformity, by contrast, is an isolated lapse that does not signal a broader breakdown, such as a single missing record or an overdue review. For minors, the auditor agrees a corrective action plan with you, and depending on severity they may be closed through follow-up evidence, at the next surveillance audit, or occasionally via an additional visit.
Major nonconformities at surveillance must be corrected before certification can continue, usually within around three months, or the certificate risks suspension or withdrawal; minor nonconformities are managed through an agreed corrective action plan, but several unresolved minors can be escalated to a major (Iseoblue, 2026).
How you respond matters as much as the finding itself. A well-written corrective action gets to the root cause rather than patching the symptom, and our guide to writing audit findings that drive action shows how to frame both the finding and the response so it closes cleanly and does not resurface at the next visit.
How to prepare: a surveillance audit checklist
Preparation is mostly a matter of assembling evidence the ISMS has been running all year, not a last-minute scramble. Working through the following steps in the weeks before the visit puts you in a strong position.
- 1. Re-read the report from your last audit and confirm every prior nonconformity is closed with documented, effective corrective action.
- 2. Verify your internal audit programme has run on schedule and that the results, findings, and follow-ups are recorded.
- 3. Confirm at least one management review has taken place, with minutes covering risks, resources, objectives, and improvement decisions.
- 4. Review and update your risk assessment and risk treatment plan to reflect any new threats, systems, suppliers, or scope changes.
- 5. Check the Statement of Applicability still matches reality, and be ready to show evidence for the controls most likely to be sampled.
- 6. Gather records of security incidents, complaints, and how each was handled and closed.
- 7. Confirm mandatory activities such as access reviews, backups, awareness training, and supplier reviews were performed and logged.
- 8. Notify the certification body of any significant changes to scope, structure, or key personnel ahead of the visit.
- 9. Brief the control owners who will meet the auditor so they can speak confidently to their own evidence.
The Statement of Applicability is worth singling out, because it is the auditor's map into your control set and the anchor for the year-on-year sampling. Our deep dive on Statement of Applicability mastery explains how to keep it accurate and defensible so that sampled controls line up with the evidence you can actually produce.
Common findings to avoid
Most surveillance findings are not exotic technical failures. They are predictable lapses in the management system that a little discipline throughout the year would prevent. The recurring culprits are worth guarding against specifically.
- An internal audit programme that was planned but never fully executed, or executed too close to the surveillance visit to be credible.
- Management reviews that were skipped, undocumented, or missing required inputs such as risk and objective status.
- Prior nonconformities marked closed without evidence that the corrective action actually worked.
- A risk assessment and treatment plan that were never revisited despite obvious changes in the business or threat landscape.
- A Statement of Applicability that no longer reflects the controls in operation.
- Missing routine records, such as access reviews, training logs, or supplier assessments, that should have been generated as the ISMS ran.
Every one of these points back to the same principle: an ISMS earns its certificate by operating continuously, not by performing on audit day. Treat surveillance audits as an annual health check that keeps the system honest, spread the evidence-gathering across the year, and the visit becomes a confirmation of good practice rather than a source of anxiety. Do that consistently, and the year-three recertification audit, comprehensive as it is, becomes far less daunting because the underlying discipline is already there.