Achieving ISO 27001 certification is a significant milestone for any organisation. The certification not only validates your commitment to protecting information assets but also builds customer trust by demonstrating a structured and ongoing approach to security. However, the journey doesn’t end with receiving the certificate. Continuous improvement, surveillance audits, and readiness for recertification in the third year all require proactive planning and consistent effort. This blog post will guide CTOs and ISMS managers through best practices for keeping ISO 27001 compliance on track in the 1–3 years between official certification audits, using a Plan-Do-Check-Act (PDCA) framework and practical tips to remain “audit-ready” year-round.
After obtaining your initial ISO 27001 certificate, you usually have three years until the next full recertification audit. However, most certification bodies conduct annual or periodic “surveillance audits” to ensure your Information Security Management System (ISMS) remains effective. These shorter audits can take place yearly (or at another interval agreed with the certifying body). They are often less comprehensive than the initial certification audit, but still thorough enough to catch any emerging nonconformities.
Key points about the post-certification phase:
• Certificate validity: Typically lasts three years, contingent on passing surveillance audits.
• Annual surveillance audits: Focus on selected clauses or controls to verify ongoing compliance.
• Year 3 recertification audit: A full, comprehensive review similar in scope to the original certification.
Rather than scramble before each audit, it’s more efficient to embed ISO 27001 practices into daily operations. This not only makes the surveillance process smoother but also strengthens your organisation’s security posture for the long haul.
ISO 27001 is built around a Plan-Do-Check-Act methodology that ensures an ISMS isn’t static but evolves with changing business landscapes and emerging risks. Understanding each stage helps maintain the “continuous improvement” ethos:
Plan
• Revisit risk assessments regularly. New threats, technologies, or business expansions can shift risk levels.
•Set yearly security objectives that are measurable and relevant(e.g., reduce phishing click rates, deploy new endpoint protection, or implement a Data Loss Prevention solution).
• Update policies and procedures to match any newly identified threats, regulatory changes, or market demands.
Do
• Implement or modify controls and operational processes. For instance, if a spike in phishing incidents is observed, roll out extra anti-phishing training or company-wide multi-factor authentication.
• Ensure changes are well-documented. Documentation should mirror real-world processes so employees can follow them accurately.
Check
• Conduct ongoing internal audits. ISO 27001 Clause 9.2(2025 Implementation Guide) highlights the requirement for periodic internal checks Atoro Brand Voice Guide…. Rather than wait for al ast-minute scramble, consider auditing half your controls every six months or a different set of processes each quarter.
• Review log reports to monitor anomalies (e.g., login attempts, unusual data transfers).
• Conduct annual management reviews, mandated by the standard. These reviews let top management assess ISMS performance, discuss resource needs, and set direction for improvements.
Act
• Implement corrective and preventive actions. If an internal audit flags nonconformities—say, employees skipping a security training or a misconfigured cloud environment—close the loop by updating relevant policies, re-training staff, or fine-tuning configurations.
• Share lessons learned: Each iteration of PDCA should elevate the overall security posture, reducing the likelihood of repeated mistakes.
One hallmark of well-prepared organisations is the ease with which they can produce evidence and documentation during a surveillance audit. If you maintain an “audit-ready” state throughout the year, these audits feel less stressful:
• Keep documentation relevant and current. Whenever processes change—such as adopting a new HR software or adding a new cloud service—update your ISMS documentation accordingly.
• Organise your evidence. Logs, incident reports, risk treatment plans, and training records should be easily accessible, ideally stored in a secure but centralised repository. Auditors often request specific samples; having them immediately on hand improves efficiency.
• Conduct regular internal audits. Schedule them in a way that doesn’t overload your team.
By spotting issues early, you have ample time to resolve them before a surveillance audit.
• Ensure management involvement. Top management needs to see the ISMS as integral to business success. Regularly presenting performance metrics—like the decrease in security incidents—keeps leadership engaged and supportive.
Businesses evolve. You might: • Launch new products or features, each introducing new technologies and data flows.
• Open new offices or expand operations to different regions.
• Onboard more employees, contractors, or partners.
Any shift can change the scope of your ISMS. To maintain ISO 27001 compliance: • Update your scope document to reflect new environments or services.
• Perform risk assessments on new technologies or vendor relationships.
• Extend or adapt security controls to cover additional data flows or operational processes.
• Provide training for new hires or departments so they understand ISO 27001 practices, even if they’ve had no prior exposure to the standard.
Despite robust security measures, incidents can (and will) happen—ranging from minor phishing attempts to significant data breaches. ISO 27001 encourages systematic incident management and analysis:
• Document every incident. Retain records of what happened, the root cause, how you responded, and any follow-up actions.
• Perform a post-incident review. Identify whether additional controls could prevent a recurrence. This might involve stronger access management, advanced threat detection tools, or more frequent user awareness training.
• Show how lessons learned feed back into risk treatment. Auditors often ask how you handle incidents and whether improvements result from them.
Although staying compliant year-round should reduce the burden of a last-minute scramble, some preparation right before the annual (or periodic) surveillance audit is wise:
• Review previous audit findings. Check if any previously noted nonconformities or observations have truly been addressed and remain corrected.
• Compile new documentation. If you implemented new controls, changed procedures, or revised risk assessments, have clear documentation ready to showcase these updates.
• Demonstrate continual improvement. Auditors like to see tangible progress. This might be updated risk assessment data, a new training curriculum, or technology enhancements that reinforce information security.
• Expect sampling of different controls. Sometimes, auditors shift focus from one visit to the next. Don’t neglect “less visible” parts of the ISMS—like supplier management or backup processes—just because they weren’t checked last time.
ISO 27001 isn’t static, and neither is the wider cybersecurity landscape. You may also be subject to other frameworks (e.g., ISO 27701 for privacy or sector-specific standards). Keep an eye on: • Updates to ISO 27001 or supplementary standards like ISO 27002 (which details recommended controls).
• Emerging best practices from industry bodies like NIST or ENISA.
• Innovative security tools and threat intelligence resources that can strengthen your ISMS.
• Overlapping compliance considerations with other frameworks (SOC 2, GDPR, etc.). Crosswalks between frameworks can simplify your overall effort.
Maintaining ISO 27001 compliance is an ongoing commitment—one that ultimately fosters a mature security culture and instills greater trust among customers, partners, and regulatory bodies. By embedding the PDCA cycle into everyday processes, staying on top of documentation, and proactively preparing for annual surveillance audits, your organisation remains agile and secure even as new threats and business changes arise.
If you’re seeking dedicated support for an annual ISMS health check, or if you simply want to ensure your current controls and documentation are aligned with best practices, schedule a consultation with Atoro. Our expert team can review your security posture, recommend targeted improvements, and help you stay poised for both day-to-day security demands and the next surveillance audit. You can also download our in-depth guide, “Year-Round ISO 27001 Compliance,” featuring checklists and timetables to make the process straightforward and stress-free.
By transforming compliance into “business as usual,” you’ll find that audits no longer disrupt the organisation but become confirmation of your ongoing commitment to robust information security. And in a world of fast-changing risks, that’s a distinction your stakeholders will truly value.
Atoro is bridging the gap between emerging SaaS businesses and world-class cybersecurity.
Atoro is bridging the gap between emerging SaaS businesses and world-class cybersecurity.
2024 Atoro. All Rights Reserved