What is Surveillance Audit?

A surveillance audit is a periodic check by your ISO/IEC 27001 certification body, conducted between full certification audits -- typically once a year -- to confirm your ISMS is still operating, maintained, and improving. It is narrower than the initial Stage 2 audit, sampling parts of the ISMS rather than re-examining everything, and is required to keep your certificate valid.

An ISO 27001 certificate is normally valid for a three-year cycle, but it is not "set and forget." In the years between the initial audit and recertification, the certification body performs surveillance audits (usually annually) to verify the ISMS remains effective: that you are still doing internal audits and management reviews, treating risks, tracking corrective actions, and operating the controls in your Statement of Applicability.

For example, a surveillance audit might sample your access reviews for the past year, check that security incidents were logged and handled, and confirm your risk register is current. Missing these activities -- or letting documentation go stale -- can lead to nonconformities or, in serious cases, suspension of the certificate.

Keeping living documents current is what makes surveillance audits low-stress. Maintained policy templates, a risk register, and audit-ready records mean you walk in with evidence already organized. The templates make ongoing maintenance faster, but the certificate stays valid only because the ISMS is genuinely running -- continual operation, not paperwork alone, is what surveillance confirms.

Related terms: Stage 1 and Stage 2 Audit · Continual Improvement · Internal Audit · Corrective Action

Frequently asked questions

How often are ISO 27001 surveillance audits?
Typically once a year during the three-year certification cycle. The first surveillance audit usually occurs within about 12 months of certification, followed by a full recertification audit at the end of the cycle.
Is a surveillance audit as thorough as the certification audit?
No. A surveillance audit is narrower and samples parts of the ISMS, whereas the initial Stage 2 and the three-year recertification audit are more comprehensive. Surveillance focuses on whether the ISMS is being maintained and improved.
Can I lose my certificate at a surveillance audit?
Yes, if serious issues go unresolved. Major nonconformities that are not corrected can lead to suspension or withdrawal of the certificate, which is why ongoing maintenance and evidence-keeping matter.

Toolkits that cover Surveillance Audit

ISO/IEC 27001:2022

ISO 27001 Policy Pack — Core

16 editable ISO/IEC 27001:2022 policies plus the full 93-control Statement of Applicability — everything a small business needs to start its ISMS.

$5930% off with codeView toolkit
ISO/IEC 27001:2022

ISO 27001 Complete Toolkit

All 24 policies and procedures plus the risk register, 93-control Statement of Applicability and audit evidence checklist — audit-ready from day one.

$9930% off with codeView toolkit
ISO/IEC 27001:2022

ISO 27001 Toolkit for SaaS Companies

17 editable ISO/IEC 27001:2022 policies written natively for cloud-native SaaS — including a Customer Data Isolation & Multi-Tenancy Security Policy — plus a SaaS-specific risk register and the 93-control Statement of Applicability.

$6930% off with codeView toolkit

Learn more in our ISO/IEC 27001 guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.