ISO 27001 Surveillance Audit Preparation: The Complete Guide
A practical, end-to-end guide to preparing for an ISO 27001 surveillance audit - proving the ISMS kept operating all year, closing prior findings, and walking in composed rather than cramming.
By Kellwick Team · June 30, 2026 · 11 min read
You passed your certification audit. The certificate is on the wall. Then a year later the auditor comes back, and this time the question is different. They are not asking whether you built an information security management system. They are asking whether you actually ran it. This guide is for founders, CTOs and GRC leads at certified SaaS, fintech and payment companies who want to walk into that surveillance audit composed rather than cramming.
What a surveillance audit actually tests
A certification audit is a design and existence test. It asks whether your ISMS meets the requirements of the standard and whether the controls in your Statement of Applicability exist. A surveillance audit is an operation and continuity test. It asks whether the system has kept working since the auditor last looked.
Under the standard, a certificate runs on a three-year cycle. Year one is certification. Years two and three are surveillance audits, usually annual, sometimes more frequent for larger or higher-risk scopes. At the end of the cycle you face a recertification audit, which is closer in depth to the original. Surveillance audits are lighter in scope than recertification, but they are not soft. They sample. They probe the areas most likely to have drifted.
The auditor will typically look at your management review, your internal audit programme, your risk treatment activity, your corrective actions from the last visit, and a rotating selection of Annex A controls. They want evidence that the ISMS produced outputs across the whole period, not just in the weeks before they arrived. That distinction is the single most important thing to understand about surveillance.
The "went quiet for 11 months" failure mode
The most common way to struggle in a surveillance audit is not a missing control. It is a silent one. The ISMS was alive during the certification push, then the team shipped product for eleven months, then someone realised the audit was three weeks away and started backfilling.
Auditors recognise this pattern immediately. The tell is evidence that clusters. Access reviews all dated the same week. A management review meeting held the day before the audit. Risk assessments with a single revision, timed suspiciously. Internal audit reports written in a rush and light on findings. None of these are fatal on their own, but together they say the system stopped and was restarted for show.
The standard expects the ISMS to operate on a rhythm. Quarterly access reviews should appear quarterly. Risk should be reviewed on a defined cadence and when material change occurs. Incidents should be logged as they happen, with timestamps that match reality. When your evidence is evenly distributed across the year, the audit becomes a confirmation exercise. When it clusters, the audit becomes an investigation. You want the confirmation.
Continuity of evidence
Continuity is the theme that runs through everything a surveillance auditor cares about. They are building a timeline, and your evidence is the record that fills it in.
Think in terms of cadenced controls and event-driven controls. Cadenced controls run on a schedule: access recertification, vulnerability scanning, backup testing, supplier reviews, security awareness training, policy review. For each of these, the auditor expects to see the activity recur at its stated frequency, with dated artefacts. If your policy says access is reviewed quarterly, four reviews should exist, spread across the year.
Event-driven controls fire when something happens: incidents, change approvals, onboarding and offboarding, risk exceptions. Here the auditor cross-checks. They may pick a leaver from your HR records and ask you to show that access was revoked within your stated window. They may take a production change and ask for the approval trail. The evidence has to match the event by date, not by intention.
The practical discipline is to capture evidence at the moment the control runs, not to reconstruct it later. A ticket closed in March is worth more than a spreadsheet assembled in June that claims the same thing happened. Reconstruction is visible, and it erodes auditor trust for the rest of the visit.
Closing prior findings with root cause
Every finding from your last audit is a promise you made to fix something. The surveillance audit checks whether you kept it. This is the area where companies most often lose ground, because a finding that is still open, or was closed superficially, signals that the corrective action process itself does not work.
A minor nonconformity closed with a one-line "we updated the policy" is a weak close. The auditor wants to see that you understood why the gap occurred. That means a documented root cause, a correction that fixes the immediate problem, and a corrective action that addresses the underlying cause so it does not recur.
What good closure looks like
Take a finding that offboarding was not completed within the required window for two leavers. A weak close says access was removed for those two people. A strong close identifies why it happened: the offboarding checklist relied on a manual step that a manager skipped. The correction removes the access. The corrective action changes the process so revocation is triggered automatically by the HR system, and you show evidence that the new process has run cleanly for subsequent leavers. Then you verify effectiveness by checking a later sample. That is a closure an auditor can accept without reopening the conversation.
Bring a clean record for every prior finding: the finding, the root cause, the action taken, the evidence, and the date effectiveness was confirmed. Have it ready before the auditor asks.
Control owners who can speak to their controls
An auditor learns as much from a conversation as from a document. When they sample a control, they often want to talk to the person who owns it. A named owner who can explain how the control works, why it exists, and where the evidence lives, is worth more than a polished policy that nobody can speak to.
The failure mode is a control owner who has moved on, or who was never really the owner, or who freezes and defers everything to the compliance lead. That tells the auditor the control is documentation rather than practice. Ownership on paper is not ownership.
Before the audit, confirm that every applicable control has a real owner. Brief them. They do not need to memorise the standard. They need to be able to say, in plain terms, what they do, how often, and how they would show it. A short internal walkthrough with each owner surfaces gaps while you still have time to fix them, and it calms nerves on the day.
Evidence store hygiene
Where your evidence lives matters almost as much as whether it exists. An auditor who has to wait twenty minutes for each artefact loses confidence, and a slow audit is a suspicious audit. A tidy evidence store lets you answer requests in seconds and keeps the visit on your terms.
Organise evidence so that it maps to how the audit runs: by control or clause, and by date. Use consistent naming so a review from Q1 is easy to distinguish from Q3. Keep source records rather than screenshots where you can, because screenshots are easy to doubt and hard to date reliably. Control access to the store so its integrity is not in question.
The goal is that when the auditor names a control and a period, someone can produce the exact artefact without a scramble. This is unglamorous work, but it is the difference between a half-day audit and a two-day one.
Changes since the last audit
Nothing in your business stood still for a year, and the auditor knows it. They will look specifically at what changed, because change is where controls slip.
Three areas matter most. First, scope. If you added products, entered new markets, moved data into new regions, or acquired a team, does your certified scope still describe reality? A scope that no longer matches the business is a serious finding. Second, risk. New systems, new suppliers, new threats and new architecture should have flowed into your risk assessment and treatment. A risk register that did not move all year is not credible for a growing company. Third, the Statement of Applicability. When controls or their justification change, the SoA should reflect it, and it should stay aligned with your current risk treatment.
Prepare a short change narrative before the audit. What changed in the organisation, in the technology, in the supplier base, and how the ISMS absorbed each change. This shows the system is responsive rather than static, which is exactly what surveillance is meant to confirm.
Internal audit and management review between cycles
Two clauses do more to prove a living ISMS than any control: internal audit and management review. Both are required, and both must have happened in the period since the last external visit.
Your internal audit programme should have covered a meaningful slice of the ISMS during the year, produced findings, and fed those findings into corrective action. An internal audit that finds nothing is a warning sign, not a triumph. Auditors expect a competent internal audit to surface real issues, and they expect those issues to have been addressed.
Management review is the point where leadership looks at the ISMS and makes decisions. It should have covered the standard inputs: audit results, incidents, risk changes, objectives, supplier and resourcing issues, and improvement opportunities. It should have produced decisions and actions with owners. A single hurried meeting is thin. A recorded, substantive review with genuine leadership input demonstrates that the ISMS has attention at the top, which is what the standard is really testing here.
The corrective action loop
Corrective action is the engine that turns problems into improvements, and the surveillance audit inspects the whole loop, not just individual fixes. A working loop looks like this: an issue is identified, from internal audit, an incident, a control failure or a supplier problem. It is logged. Root cause is analysed. Action is taken. Effectiveness is verified. The item is closed.
What the auditor wants to see is that this loop runs consistently and that items do not sit open forever. A corrective action log full of items overdue by months tells them the process exists but does not function. A healthy log shows a steady flow of items entering, being worked, and closing with evidence. Keep it current, and be honest about what is still open, with a credible plan and date for each. Auditors are far more comfortable with an open item that has a real plan than a closed item that was never really fixed.
The 90-day checklist
Ninety days out is when preparation should begin in earnest. Cramming in the final fortnight is the pattern you are trying to avoid.
- Confirm your audit date, scope and the certification body's plan.
- Review every finding from the last audit and confirm each is closed with root cause and evidence.
- Complete any internal audit still outstanding for the cycle, and address its findings.
- Confirm your management review for the period has happened and is properly recorded.
- Walk your risk register and SoA against what actually changed in the business this year.
- Check that cadenced controls have run at their stated frequency, and fill genuine gaps now while there is still time to do so honestly.
- Confirm every applicable control has a real, current owner.
- Tidy the evidence store and fix naming and dating inconsistencies.
The 30-day checklist
Thirty days out, the work shifts from fixing to rehearsing.
- Brief each control owner and run a short walkthrough of their control and evidence.
- Assemble the prior-findings pack: finding, root cause, action, evidence, closure date.
- Prepare the change narrative covering scope, risk, suppliers and technology.
- Do a light internal dry run on a sample of controls to test how quickly evidence surfaces.
- Confirm logistics: attendees, access for the auditor, meeting rooms or video links, and who leads on the day.
- Make sure the compliance lead knows which controls each owner will speak to, so handovers on the day are smooth.
Common mistakes
A few patterns recur across companies of this size. Evidence that clusters in the final weeks. Prior findings closed without root cause. A risk register and SoA that never moved despite a year of change. Control owners who cannot speak to their own controls. An internal audit that found nothing. A management review held the day before the auditor arrives. An evidence store so disorganised that every request becomes a search. None of these is exotic. All of them are avoidable with cadence and preparation, and each one costs you auditor confidence at exactly the moment you want it high.
The commercial cost of a suspended or conditional certificate
It is worth being clear-eyed about what is at stake, because the surveillance audit is not only a compliance exercise. A major nonconformity can lead to a conditional or suspended certificate, and that has direct commercial consequences.
For SaaS, fintech and payment companies, the certificate is often a condition of doing business. Enterprise procurement teams ask for it. Partners and payment networks require it. A suspended certificate can stall live deals, trigger contractual review clauses, and force awkward disclosures to customers who trusted the mark. Even a conditional outcome consumes weeks of engineering and leadership time to remediate under a deadline, at a moment you did not choose. The cost of a poor audit is rarely the finding itself. It is the sales cycles that pause, the customer questions that follow, and the scramble that pulls senior people off the roadmap.
Preparation is cheap by comparison. A steady ISMS that runs all year turns the surveillance audit into a routine confirmation rather than a threat to the business.
Bottom line
A surveillance audit tests whether your ISMS kept operating, not whether you can rebuild it under pressure. Continuity of evidence, closed findings with real root cause, owners who can speak to their controls, and a risk picture that moved with the business are what carry you through. The work is not hard, but it has to be steady, and it has to start well before the auditor books a date.
If you would rather walk in composed than cram, a Kellwick readiness review can pressure-test your evidence, prior findings and change narrative before the auditor sees them. For teams that want the ISMS to stay audit-ready all year, our ISMS maintenance retainer keeps the cadence running so surveillance stays routine. We are an independent advisory brand, not a certification body, so our only job is to make sure you are ready.
Need a second pair of eyes before the auditor does?
A readiness review shows exactly where your ISMS stands - and what to fix first - while there is still time to act on it.