ISO/IEC 27001 Certification and Surveillance Audits

ISO 27001 certification runs in a three-year cycle governed by the certification body's audit programme. The cycle has four distinct audit events: Stage 1, Stage 2, Surveillance 1, and Surveillance 2, followed by recertification which restarts the clock. Understanding the cycle helps organisations plan internal preparation, allocate budget for audit fees, and time internal audits to support each external audit.

Surveillance audits cover a sample of the ISMS, not the full scope. The certification body selects which areas to examine, typically rotating through the Annex A controls and clause requirements across the two surveillance visits so that the full ISMS is covered across the cycle. This means an organisation cannot assume that a control not sampled at Surveillance 1 will not be sampled at Surveillance 2.

The Stage 1 audit is primarily a desktop review, though many certification bodies now conduct a short on-site visit alongside the documentation examination. Its purpose is to confirm that the ISMS is sufficiently developed to undergo a full assessment. An auditor who finds fundamental gaps at Stage 1, such as no scope statement, no risk assessment, or no Statement of Applicability, will not proceed to Stage 2 until those gaps are addressed.

The auditor reviews: the ISMS scope document (which assets, processes, locations, and legal entities are included); the information security policy; the risk assessment methodology and the completed risk register; the Statement of Applicability (SoA), which lists all Annex A controls and justifies inclusions and exclusions; and the internal audit and management review records if the ISMS has been running long enough to have them. The auditor also interviews key personnel to confirm that the scope is realistic and understood.

Stage 1 produces an audit report that identifies any areas of concern to be resolved before Stage 2. These are typically called observations or areas for improvement at this stage rather than formal nonconformities, because Stage 1 is a readiness check rather than a conformity assessment. The Stage 1 report also informs the Stage 2 audit plan: the auditor uses what they learn at Stage 1 to focus the Stage 2 examination on higher-risk areas.

Stage 2 is the assessment that determines whether a certificate is issued. The lead auditor and their team visit the organisation's premises (or, in the case of cloud-delivered operations, the relevant data centres and offices within scope) and gather objective evidence that the controls in the SoA are implemented and operating as described. Auditors use interviews, document review, observation of processes, and testing of technical controls to gather evidence.

The audit follows a plan issued in advance. The plan allocates time to each clause of the standard and to the control areas identified during Stage 1 as higher risk. For a medium-sized organisation, a Stage 2 audit typically takes two to four on-site days. Larger or more complex organisations in regulated sectors such as healthcare or financial services take longer, particularly where multiple sites are in scope.

At the closing meeting, the lead auditor presents their findings. If no major nonconformities are raised and any minor nonconformities are accepted as manageable, the auditor recommends certification to the certification body's decision-maker. The decision-maker (who is independent of the audit team) reviews the report and issues the certificate. The certificate is then registered on the certification body's public registry, and for accredited certificates, on the accreditation body's database.

Surveillance audits maintain the certificate between the initial certification and recertification. They are shorter than Stage 2 (typically one to two days for a medium organisation) and cover a sample of the ISMS, not the full scope. The certification body's audit programme specifies which areas will be examined at each surveillance visit, with the sample selected to ensure the entire ISMS is reviewed across the three-year cycle.

Surveillance audits always include certain fixed elements regardless of the rotation sample: status of actions from previous audits; changes to the organisation or its ISMS since the last audit; performance of the ISMS as indicated by internal audits, management review outputs, and incident records; and continued suitability of the scope. The auditor is looking for evidence that the ISMS is not static documentation but a living system that is actively managed.

A surveillance audit can raise nonconformities with the same consequences as a Stage 2 finding. A major nonconformity at a surveillance audit puts the certificate at risk. The organisation must submit a corrective action plan and provide evidence of correction, usually within 90 days. If the major nonconformity is not resolved within that period, the certificate is suspended. Suspension is publicly visible on the certification body's registry, which creates commercial and reputational pressure to resolve findings quickly.

Every audit finding is classified before the closing meeting. The three categories are: major nonconformity, minor nonconformity, and observation (sometimes called opportunity for improvement). The classification drives both the response process and the risk to certification.

The corrective action process for a nonconformity has three required steps: root cause analysis (identifying why the failure occurred, not just what occurred), correction (fixing the immediate instance), and corrective action (addressing the root cause to prevent recurrence). Auditors reject responses that only document correction without root cause analysis. A response that says 'the password policy document has been updated' without explaining why it was not being followed, and what has changed to ensure it will be followed in future, is insufficient.

Minor nonconformities that recur in the same control area across two consecutive audits are typically escalated to major. This pattern indicates that previous corrective actions were ineffective, which itself suggests a systemic problem. Organisations should track open nonconformities in their corrective action register and verify closure before the next audit, not assume the certification body will forget.

The credibility of an ISO 27001 certificate depends on the accreditation status of the certification body that issued it. Accreditation means the certification body has been independently assessed against ISO/IEC 17021-1, which sets requirements for the competence, consistency, and impartiality of management system certification bodies. Without accreditation, there is no independent check on whether the certification body is applying the standard correctly.

National accreditation bodies are typically government-designated or government-recognised. In the UK, UKAS (United Kingdom Accreditation Service) is the sole national body. Germany has DAkkS, France has COFRAC, and India's national body is NABCB (National Accreditation Board for Certification Bodies). In the United States, both ANAB (ANSI National Accreditation Board) and A2LA (American Association for Laboratory Accreditation) accredit ISO 27001 certification bodies. These national bodies are themselves members of the International Accreditation Forum (IAF), which operates a multilateral recognition arrangement: a certificate issued by a UKAS-accredited body is recognised as equivalent to one issued by a NABCB-accredited body, enabling cross-border trust.

When evaluating a certificate presented by a supplier or partner, verify two things: that the certification body is accredited (check the IAF database or the relevant national accreditation body's registry), and that the certificate is currently valid and not suspended. Scope is also critical: an ISO 27001 certificate covers only what is stated in the scope. A certificate that covers a vendor's administrative offices but not their data centre is worth considerably less than one that covers the full service delivery environment.