Think of your ISO 27001 certification as the wedding day – the celebration of a completed ISMS. The surveillance audits? They are the recurring check-ins that help maintain the “marriage” between your policies, people, and processes. This article describes the surveillance audit as a repeatable maintenance engine, using Year 2 (the first surveillance audit) as a practical reference point.
A practical quarterly schedule can help support ISO 27001 certification maintenance which may reduce the reliance on external support for some routine documentation and coordination activities. Key focus areas may include governance, people, and awareness controls, operational evidence management, and targeted technical checks, with rotational reviews extending into Year 3 and beyond.
Why Year 2 Matters in the Surveillance Cycle
ISO 27001 certification is not a “set it and forget it” achievement. After initial certification in Year 1, your ISMS enters a maintenance phase, where auditors may review whether controls are operating as intended, and whether policies, processes, and evidence are kept up to date.
Key insight:
- Surveillance audits form a repeatable cycle, with Year 2 (Surveillance 1) and Year 3 (Surveillance 2) acting as twin maintenance years.
- While Year 1 focused on design and implementation, these audits typically examine ongoing control operation, continuity of evidence, and how changes in your environment are handled.
- A structured quarterly rhythm – covering updates to the risk register, policy reviews, and rotational checks of technical controls – is commonly used to support consistency and traceability across years.
Quick analogy:
- Year 1 – Design and Certification: Stage 1 (Documentation) is like planning the wedding, and Stage 2 (Implementation) is the ceremony itself, where the ISMS is put into practice.
- Years 2 and 3 – Ongoing Operation (Surveillance Audits): These years represent daily married life, where regular check-ins, policy reviews, and evidence updates may help maintain the ongoing effectiveness and structure of your ISMS.
-
Year 4 – Recertification: This is like renewing your vows – confirming that the relationship has continued to work over time and preparing for the next certification cycle.
ISO 27001 Surveillance vs Initial Audit: Key Differences
To understand how your ISO 27001 ISMS progresses over time, it helps to compare the different audit phases. The table below summarises each stage and examples of what auditors may review.
|
Phase |
Focus |
Examples of What Auditors May Review |
|
Initial Certification (Year 1) |
Design and Implementation |
Scope, policies, risk assessment, Statement of Applicability |
|
Surveillance 1 (Year 2) |
Operating Effectiveness |
Logs, evidence continuity, control execution, adherence to policies |
|
Surveillance 2 (Year 3) |
Continuous Improvement |
Rotational technical controls, handling changes, updates to risk register |
|
Recertification (Year 4) |
Full ISMS Reassessment |
Ongoing operation across all controls, system adjustments |
Tip: Year 2 surveillance may look similar to recertification, but it primarily focuses on reviewing ongoing operations rather than re-assessing the entire ISMS.
Common Year 2 Pitfalls and How to Address Them
SMEs may face challenges in surveillance audits, often due to administrative drift rather than security gaps. Below are some recurring pitfalls observed in Year 2, along with practical approaches to address them.
|
Common Pitfall |
Example |
Practical Approach |
|
The 'New Guy' Gap |
New hires have not signed the Acceptable Use Policy |
Implementing a structured onboarding checklist is one way organisations commonly document training and onboarding activities. Regularly review to keep records current. |
|
The Ghost Logs |
Access Review exists, but logs were never exported |
Schedule a recurring “Evidence Day” once per quarter to generate and review logs. |
|
The Stale Risk Register |
AI features or cloud migrations are undocumented |
Link Year 2 audit activities to your Risk Register and update entries quarterly. |
|
The Missing Internal Audit |
No independent audit conducted in the last 12 months |
Some SMEs utilise peer-reviews or structured self-assessments as a means of maintaining audit continuity. |
|
The “Oops, We Changed Something” Gap |
Slack → Teams migration occurred without a Change Note |
Some SMEs maintain a simple Change Log template and attach relevant evidence for review. |
Tip: Treat quarterly tasks like a 15-minutes Friday check rather than a month-long project. Small, consistent reviews may help your ISMS remain structured, auditable, and adaptable over time.
Quarterly Maintenance Matrix for ISO 27001 Surveillance Audits (Year 2 and 3)
This matrix aligns ISO/IEC 27001:2022 clauses and controls to quarterly ISMS maintenance tasks. It is presented as an example of a repeatable structure that some organisations use for Surveillance 1 (Year 2) and Surveillance 2 (Year 3), intended to help SMEs track risks, review policies, and maintain evidence in a structured way.
|
Quarter |
Theme |
ISO/IEC 27001:2022 Mapping (Clause and Control) |
Specific Evidence to Maintain |
|
Q1 |
Strategy and Governance |
Clause 5.2 (Roles); 6.1.2 (Risk Assessment) |
Updated Risk Register signed off by CEO; Internal Audit report from previous year. |
|
Q2 |
People and Training |
Clause 7.2 (Competence); 7.3 (Awareness) |
Training logs for new hires; awareness session attendance records. |
|
Q3 |
Partners and Suppliers |
Clause 7.5 (Documentation) |
Tier 1 cloud / SaaS provider reviews; evidence of contract security clauses. |
|
Q4 |
Operations and Management Review |
Clause 9.3 (Management Review); 8.1 (Operational Planning) |
Management Review minutes; updated Statement of Applicability (SoA); logged corrective actions. |
Rotational Control Coverage
As surveillance audits are shorter than initial certifications, auditors typically sample your controls rather than checking all 93. However, the specific controls selected for review remain at the auditor’s discretion. Some SMEs rotate their deep-dive focus as a way to spread review effort.
- Year 2 Focus (Surveillance 1): Auditors prioritise the "Governance Engine" – leadership commitment, evidence of quarterly meetings, training logs for new hires, and major supplier reviews.
- Year 3 Focus (Surveillance 2): Some organisations report a greater likelihood of technical sampling into rotational controls you have not discussed since Year 1. For example:
- Control 8.24 (Cryptography): Evidence of how you manage SSH keys, secrets, and encryption standards in your production environment.
- Controls 7.2 and 7.3 (Physical Security): For remote teams, this means verifying hardware security policies, device tracking, and secure co-working practices.
- Control 5.24 (Incident Planning and Preparation): Providing the "receipts" for your last tabletop exercise or a "near-miss" report to show the process is active.
- This approach may help SMEs maintain consistent ISMS oversight across both surveillance years without introducing additional complexity.
Handling Significant Changes During Surveillance Audits
ISO 27001 highlights the importance of planning and managing changes that may affect the ISMS (Clause 6.3). During surveillance audits, reviewers may look at how organisations identify, assess, and document changes that occur after initial certification.
Examples of changes commonly reviewed include:
- Migration of cloud infrastructure (e.g. a transition between cloud infrastructure providers)
- Introduction of new AI-enabled features
- Changes to product architecture or data flows
Practical Approach: Some organisations maintain a simple “Significant Change Log” to capture how updates are handled over time. Typical entries found in a change log include:
- The nature of the change
- A brief impact assessment
- Any related control or risk adjustments
- Evidence of review or approval by leadership
Documenting changes in this way may help demonstrate that updates to systems, products, or suppliers are considered within the ISMS, rather than occurring outside of it.
Internal Audit vs Surveillance Audit
A common point of confusion for SMEs is the distinction between an internal audit and a surveillance audit. While both involve reviewing controls and evidence, they serve different roles within the ISMS lifecycle.
In practice, ISO 27001 emphasises audit impartiality, and internal audits are commonly structured to be independent of day-to-day ISMS operation. In smaller organisations, issues may arise when the same individual both runs the ISMS and reviews their own work, which auditors may view as a lack of independence.
Common challenges observed in SMEs include:
- Internal audits being performed by the same person responsible for the ISMS
- Internal audits being skipped, delayed, or conducted at a very high level without documented findings
Practical Approach:
- The standard highlights audit impartiality (Clause 9.2). Small teams often achieve this by having a peer or co-founder who is not responsible for the ISMS perform the review.
- Use a structured internal audit checklist to guide reviews.
- Track findings, actions, and follow-ups as part of normal ISMS records.
Internal audits are typically reviewed during surveillance audits as evidence of ongoing self-assessment. Where no recent internal audit is available, auditors may raise findings relating to governance or process effectiveness.
Day of the Audit Cheat Sheet
During a surveillance audit, reviewers often request a small set of core documents to understand how the ISMS is operating in practice. These may be reviewed via screen-share or other agreed audit methods and selected as samples rather than a complete system walkthrough.
Auditors may request documents such as:
- Management Review minutes, ideally dated after the most recent internal audit
- An updated Risk Register, reflecting current services and risks
- A sample employee training record, selected at random
- The Incident Log, including low-impact events or near misses where applicable
- Statement of Applicability (SoA) version history, showing how control decisions have evolved
Practical Tip: Keeping these documents logically indexed and easy to locate may help the audit conversation feel more like a structured check-in than an interrogation.
TL;DR – Maintain Your ISO 27001 ISMS
Key takeaways from the surveillance audit lifecycle include:
- Year 2 surveillance audits typically focus on how controls operate in practice, rather than how they are documented on paper.
- Activities such as internal audits, periodic reviews, and change logging are commonly examined as part of ongoing ISMS governance.
- A rotational quarterly matrix may help spread effort across both Year 2 and Year 3 surveillance audits.
- Significant changes, such as new technologies or services, are often documented using simple, repeatable templates.
- A small set of core ISMS documents is frequently requested during audit discussions
- Where AI tools or features are introduced, linking updates to the AI risk analysis may help support consistency across related risk documentation.
An ISMS tends to work best when treated as a regular practice rather than a once-a-year exercise. Certification marks the initial milestone, but ongoing check-ins, reviews, and adjustments support the long-term effectiveness of the system.
Next Step: Explore examples of ISO 27001 templates that may be used as part of a repeatable documentation and evidence workflow.
Next Article: In ISO 27001 for GDPR and CCPA: Informational Overview for SMEs and Startups (2026 Edition), we explore how ISO 27001 aligns security controls across jurisdictions while clarifying that certification does not replace legal compliance.
Related Guides
Explore these ISO 27001 resources to help your SME build a practical, lean ISMS:
Start Here: Complete Guide
- ISO 27001 for SMEs and Startups: The Chill Implementation Guide (2026 Edition) – Full roadmap covering all clauses and Annex A controls, with practical steps, examples, and guidance.
Scaling and The Future of Compliance – Detailed Guides by Topic
- ISO 27001 to SOC 2 Mapping: Evidence Comparison Guide for SMEs – A practical comparison of how ISO 27001 controls and evidence may align with SOC 2 Security criteria, highlighting common overlaps and gaps.
-
AI and Information Security: Practical Controls for Startups – Guidance on managing AI as a traceable operational asset, linking ISO 27001 practices to model training, inference, logging, and third-party AI services.
- ISO 27001 for GDPR and CCPA: Informational Overview for SMEs and Startups (2026 Edition) – Practical guidance on using ISO 27001 to support privacy frameworks, mapping Annex A controls to GDPR and CCPA considerations.
- Exploring the Hybrid ISO 27001 Compliance Stack (2026) – A conceptual guide to how startups combine governance, cloud-native tools, and people for structured evidence management.
Please Note: This article provides general information only and does not constitute legal, regulatory, or compliance advice. Using our products or following this guidance cannot guarantee certification, improved business outcomes, or regulatory compliance. Organisations remain responsible for ensuring all actions meet certification and compliance requirements.
This article also mentions examples of commonly used tools. Chill Compliance does not endorse any vendor and has no commercial or affiliate relationship with the providers listed. These examples are for general information only, and readers may wish to evaluate each tool independently, as features and pricing can vary.