What to check 30 days before your surveillance audit
A final 30-day checklist for surveillance: evidence continuity over the year, closed prior findings and control owners who can speak to their controls. Rehearse, do not cram.
By Kellwick Team · April 8, 2026 · 3 min read
A surveillance audit is not a repeat of certification. The auditor is checking that your ISMS kept running in the year since, that prior findings are closed, and that the system still improves. Thirty days out, your job is to confirm and rehearse, not to build. Here is where to look.
Prove the year was continuous
Surveillance lives or dies on continuity. The auditor wants to see that controls operated all year, not that you revived them last month.
Walk your recurring activities and confirm each has evidence dated across the full period:
- Access reviews at their stated frequency.
- Vulnerability scans and the remediation that followed.
- Risk reviews and any reassessments.
- Supplier reviews for your key vendors.
- Backup and recovery checks, if in scope.
If any of these has a gap - a quarter with no access review, a scan that lapsed - find it now. A visible gap is better raised by you, with an explanation, than discovered by the auditor.
Close out prior findings properly
Open findings from the last audit are the first thing many auditors revisit. For each one, confirm:
- The corrective action is complete, not just assigned.
- You captured root cause, not only a quick patch.
- There is evidence the fix held over time, not a same-day closure.
A prior finding that is still open, or closed without evidence, is the fastest route to a repeat nonconformity. Repeat findings carry more weight than fresh ones.
Confirm control owners can speak to their controls
Auditors interview the people who run the controls. A tidy document does not help if the owner cannot explain what they do.
In the next month, have each owner briefly walk through their control: what it is, how often it runs, where the evidence lives. This is rehearsal, not scripting. If an owner has changed role or left, reassign the control and brief the new person before the audit, not during it.
Tidy the evidence store
Most surveillance friction is not missing evidence; it is evidence no one can find quickly. Before the audit:
- Make sure records live in one known place, organised by control or clause.
- Remove ambiguity - clear dates, clear ownership, no mystery filenames.
- Check that links and access still work, so nothing is locked in a former employee's account.
If producing evidence for a given control takes more than a couple of minutes, fix the storage now.
Check what changed this year
Surveillance auditors care about change. New products, new infrastructure, acquisitions, a reorganisation or a major incident all affect your ISMS. Confirm that:
- Your risk assessment reflects those changes.
- Scope is still accurate.
- Management review discussed them and recorded decisions.
Silence about a significant change looks like something you missed rather than something under control.
Rehearse, do not cram
The temptation at 30 days is to generate a burst of activity to fill gaps. Auditors recognise last-minute evidence, and it undermines the continuity you are trying to show. Better to surface a real gap, document why it happened and show what you changed. A calm, well-organised audit where owners know their controls beats a frantic one every time.
Bottom line
Thirty days before surveillance is for confirming and rehearsing: continuous evidence, closed prior findings, owners who can speak, and a tidy store. If a dry run turns up gaps you cannot honestly close in time, name them and prepare your explanation. A short readiness check now is enough to walk in composed rather than cramming.
Need a second pair of eyes before the auditor does?
A readiness review shows exactly where your ISMS stands - and what to fix first - while there is still time to act on it.