ISO 27001 Surveillance Audit: What to Expect in Years 2 and 3

Key takeaways:

• Surveillance audits are mandatory in Years 2 and 3 of your ISO 27001 certification cycle. If you miss one, your certificate is suspended; if you fail one, it is withdrawn.
• They’re shorter and cheaper than initial certification, typically 30-50% of what you paid for initial certification.
• Auditors usually check: management review, internal audit, corrective actions from previous audit, and risk assessment updates.
• These findings account for most of the surveillance audit failures: missing management review, incomplete internal audit, outdated risk assessment, access reviews not performed as stated in policy, and an untested incident response plan.
• Year-round maintenance is the best way to go. Companies that treat ISO 27001 as continuous compliance tend to pass surveillance audits with zero major findings, but those who ignore it all year long scramble to reconstruct evidence.

‍

The work does not stop after you get your ISO 27001 certification.

‍

Most companies think ISO 27001 is a one-time project. That you build the ISMS, pass Stage 1 and Stage 2 audits, hang the certificate on the wall, and you’re done for three years.

‍

That’s not how it works.

‍

Your certificate is valid for three years, but you don’t get to coast for the next 35 months. You have surveillance audits in Years 2 and 3: annual check-ins where auditors verify if your ISMS is still operational.

‍

If you miss a surveillance audit, your certificate will be suspended. If you fail one, the certificate will be withdrawn.

‍

This post explains what surveillance audits are, when they happen, what auditors check, how much they cost, and how to stay audit-ready without burning out your team.

‍

If you are still in Stage 1 or 2, check this post first.

‍

What Is a Surveillance Audit?

‍

A surveillance audit (also called a maintenance audit or annual surveillance visit) is a mandatory annual audit conducted by your certification body in Years 2 and 3 of your three-year ISO 27001 certification cycle.

‍

The ISO 27001 audit cycle looks like this:

‍

• Initial certification: Stage 1 audit (documentation review) + Stage 2 audit (implementation verification)
• Year 2: First surveillance audit
• Year 3: Second surveillance audit
• Year 4: Recertification audit (full Stage 1 + Stage 2 process repeats for another three-year cycle)

‍

What Is the Purpose of ISO 27001 Surveillance Audits?

‍

Surveillance audits verify if your ISMS hasn’t degraded since certification. 

‍

Auditors check that controls are still operating, risks are still being managed, leadership is still engaged, and you’re conducting the mandatory internal audits and management reviews required by the standard.

‍

Key Difference from the Initial Certification

‍

Your Stage 2 audit in Year 1 checked everything: all mandatory clauses (4-10), all 93 Annex A controls in scope, your full ISMS documentation, and evidence that every control was implemented and effective.

‍

Surveillance audits check only a sample of your controls per audit, rotating across the three-year cycle so that by the time you reach recertification in Year 4, auditors have sampled the full control set multiple times.

‍

The goal is efficiency without sacrificing assurance. You already passed the full audit once, so now the auditor is spot-checking to make sure you’re maintaining what you built rather than letting it decay.

‍

When Do Surveillance Audits Happen?

‍

The first surveillance audit happens within 12 months after your certification date. The second surveillance audit happens 24 months after certification ( 12 months after the first surveillance).

‍

Your certification body schedules these with you, but they must happen within 12 months of the previous audit. If you miss the window, your certificate will be suspended. 

‍

Because the auditor focuses on strategic targets, it is usually faster than the initial Stage 2 audit, but the exact duration depends on the company's size and the system’s complexity.

‍

How Much Does an ISO 27001 Surveillance Audit Cost?

‍

The Surveillance Audit costs around 30-50% of what you paid for initial certification. 

‍

It is important to remember you’ll have to do this twice, in Years 2 and 3, so budget accordingly.

‍

If you want a full breakdown on how much ISO 27001 costs each year, check this post.

‍

What Auditors Check During Surveillance Audits?

‍

Each surveillance audit targets strategic parts of your system, focusing on those that will bring the best view of how your ISMS is doing.

‍

These are some of the areas usually reviewed:

‍

1. Management Review

‍

Has leadership reviewed ISMS performance in the past 12 months? Did they discuss risks, incidents, opportunities for improvement, and make documented decisions?

‍

Auditors want to know whether your organization's management reviews are effective or are not happening at all.

‍

If you haven’t done a management review since your last audit, that’s an automatic finding. It signals to the auditor that leadership isn’t engaged with the ISMS.

‍

2. Internal Audit

‍

Have you audited your own ISMS since the last external audit? Did you check all mandatory clauses and a sample of your in-scope Annex A controls?

‍

Internal audits are how you catch problems before the external auditor does. If you’re not doing them, you’re flying blind. 

‍

Auditors want to see an internal audit report dated within the last 12 months, evidence that you audited and sampled Annex A controls, and that any non-conformities were identified and corrected.

‍

3. Corrective Actions from Previous Audit

‍

Did you fix everything from your last audit? If the Stage 2 auditor found any non-conformities, even if minor, you need evidence that you’ve closed all of them.

‍

Auditors track this. If you said you’d fix something and didn’t, that’s a new finding on top of the original one. It shows you’re not following through on commitments.

‍

4. Risk Treatment Plan

‍

Your ISMS isn’t static. If your business evolves and your ISMS doesn’t reflect that, then that’s a gap. 

‍

Auditors want to see evidence that you’re keeping pace: updated risk assessments showing the new risks were identified and treated, if controls were added or removed, and evidence that leadership reviewed and approved changes.

‍

Common Surveillance Audit Findings and How to Avoid Them

‍

In 20 years of guiding startups through ISO 27001, I often see the same findings in multiple surveillance audits:

‍

• Finding 1: Management review was not conducted in the last 12 months. Remember to include management reviews at least once a year (twice, if possible) in your official calendar, and with time to spare before the audit.
• Finding 2: The internal audit is incomplete or missing evidence. In this case, companies either didn’t conduct one or did it and failed to document findings properly. To avoid this, use an internal audit checklist covering part of ISO 27001 mandatory controls, and always document everything.
• Finding 3: Risk assessment has not been updated since certification. Your business has probably evolved since your initial certification, so auditors want to know whether you have been keeping up with that. For that, review your risk assessment every 6 months, add new risks as your business changes and update risk treatment plans.
• Finding 4: Access reviews were not performed as stated in policy. This happens when your policy says one thing, but reality says another. You need to either do exactly as stated, or change your policy to match reality. 
• Finding 5: The incident response plan was not tested. It is important that you schedule an annual IR tabletop exercise every year so you don’t forget. Simulate a breach scenario, walk through your response process, document what happened, and identify improvements. 

‍

How to Stay Surveillance-Ready Year-Round

‍

The secret to passing surveillance audits is not treating it ISO 27001 as an annual event, but rather as a continuous one.

‍

Here’s the minimum viable maintenance schedule I recommend to clients.

‍

Monthly tasks:

‍

• Update the incident log if any security incidents have occurred
• Track security awareness training completion for new hires
• Spot-check access to critical systems

‍

Quarterly tasks:

‍

• Formal user access review: Review who has access to what, revoke unnecessary access, and document the review
• Review and update asset inventory
• Check vulnerability scan results and confirm if critical patches are applied

‍

Annual tasks:

‍

• Conduct an internal audit 
• Conduct a management review by presenting ISMS performance to leadership and getting decisions documented
• Update the risk assessment
• Review and update the policies
• Run an incident response tabletop exercise
• Test disaster recovery plan (or document why it wasn’t tested)

‍

Tools That Help You Get Surveillance Audit Ready

‍

Compliance platforms like Vanta, Drata, and Secureframe are really helpful in this stage because they collect and automate evidence continuously throughout the year. 

‍

However, a vCISO is also a great way to stay compliant. A virtual CISO would be responsible for conducting your internal audits, preparing you for surveillance audits, and ensuring nothing falls through the cracks. Most startups can’t afford a full-time CISO, but they can afford a vCISO, which is usually cheaper. Click here to know more about vCISO.

‍

Surveillance Audits vs Recertification (Year 4)

‍

After two surveillance audits in Years 2 and 3, your three-year certificate expires. You need recertification in Year 4. Here are the main differences between them:

‍

• Surveillance audits (Years 2-3): test only a sample of the controls
• Recertification (Year 4): Full Stage 1 + Stage 2 audit, testing all controls.

‍

Recertification has the same rigor as the initial certification. The auditor treats it like a fresh certification, with full documentation review and full implementation verification. If you’ve been maintaining your ISMS through surveillance audits, recertification is straightforward. If you’ve let things slide, it is painful.

‍

Pro-tip: Schedule your recertification a few months before your certificate expires, because once it does, there’s no grace period. If you miss the deadline, your certificate lapses, and you’ll need to start from scratch as if you were never certified. 

‍

Surveillance Audits Are Maintenance, Not Milestones

‍

The smarter approach to surveillance audit is to treat it as ISO 27001 continuous compliance.

If you’re doing management reviews, internal audits, and access reviews throughout the year, surveillance audits become routine check-ins, not stressful ordeals. The auditor shows up, you show them the evidence you’ve been collecting continuously, they verify a sample of controls, and you pass with zero findings.

‍

Is Your Surveillance Audit Approaching? Here’s what to do

‍

If you’re approaching your first surveillance audit and aren’t sure what to expect, or if you’ve realised you’ve let things slide since certification, we can help.

‍

At SecureLeap, our vCISO services help startups prepare for surveillance audits by:

‍

• Helping you find gaps before auditors do
• Running your internal audit and management review
• Updating your risk assessment and closing previous findings
• Ensuring you pass the first time with zero major findings

‍

Through our vCISO and ISO 27001 consulting programs, I’ve guided dozens of startups to certification and surveillance audit, with 100% success rate. 

‍

If you want to stay compliant all year and be easily approved on surveillance audits, click here to book a free consultation call.

‍

Frequently Asked Questions on ISO 27001 Surveillance Audits

‍

What is a surveillance audit in ISO 27001?

‍

A surveillance audit is a mandatory annual audit conducted by your certification body in Years 2 and 3 after initial ISO 27001 certification. It verifies if your ISMS is still operating effectively and controls haven’t degraded.

‍

How much does an ISO 27001 surveillance audit cost?

‍

For most startups, surveillance audits cost 30-50% of what you paid for initial certification. You’ll do two surveillance audits, one in Year 2 and one in Year 3, before recertification in Year 4. The exact cost depends on company size, audit complexity, and certification body day rates.

‍

When does the first surveillance audit happen?

‍

The first surveillance audit happens 12 months after your initial certification date. The second surveillance audit happens 24 months after certification (roughly 12 months after the first surveillance). Your certification body schedules these, but they must occur within 12 months of the previous audit. If you miss the window, your certificate gets suspended.

‍

What happens if you fail a surveillance audit?

‍

Minor non-conformities: You have 90 days to fix them and provide evidence, and your certificate remains valid during the correction period. There is no extra audit required because the auditor reviews evidence remotely. 

‍

For major non-conformities: The certificate is suspended immediately until everything is fixed. You’ll need a follow-up audit to verify the corrective actions. If they’re not fixed within 6 months, the certificate is withdrawn entirely. You can’t use the ISO 27001 logo or claim certification while suspended.

‍

Can you skip a surveillance audit?

‍

No. Surveillance audits are mandatory to maintain your ISO 27001 certificate

‍

What’s the difference between surveillance audit and recertification?

‍

Surveillance audits are lighter check-ins covering only a sample of the controls. Recertification (Year 4) is a full Stage 1 + Stage 2 audit covering your entire ISMS, all mandatory clauses, and all in-scope Annex A controls. It takes longer and costs the same as initial certification.

‍

How do you prepare for a surveillance audit?

‍

The main items auditors check are: (1) management review conducted in the last 12 months, (2) internal audit completed, (3) corrective actions from previous audit closed, and (4) risk assessment updated.

‍