Skip to content
Kellwick
← All articles
ISMS Maintenance

How to keep ISO 27001 alive after certification

The ISMS starts decaying the moment attention moves on. A steady rhythm keeps it audit-ready between surveillance visits.

By Kellwick Team · March 11, 2026 · 3 min read

Certification feels like the finish line. It is not. The certificate is valid for three years with annual surveillance audits, and the ISMS starts to decay the moment attention moves elsewhere. The teams that struggle at surveillance are the ones who went quiet for eleven months and then scrambled.

The failure pattern

The story is familiar. A team passes Stage 2, celebrates, and returns to shipping product. Policies gather dust. Access reviews stop. Nobody logs the risk changes that come with new features and new vendors.

Then the surveillance audit approaches and the panic starts: backdating evidence, reconstructing decisions, chasing screenshots from six months ago. Auditors notice. Evidence that all appears in the same week tells its own story.

The fix is not more effort at audit time. It is a light, steady rhythm through the year.

Build a recurring calendar

Turn the ISMS into a schedule with owners and dates. Most of the work is small when it happens on time and painful when it does not.

A workable rhythm looks like this:

  • Monthly: review new risks, log incidents, confirm evidence is being captured.
  • Quarterly: access reviews, supplier and vendor reviews, control spot checks.
  • Twice a year: internal audit activity across the ISMS, corrective action review.
  • Annually: full risk assessment refresh, management review, policy review.

Put these in a real calendar with named owners. An ISMS that lives only in someone's memory will lapse the first busy month.

Keep evidence flowing, not stockpiled

Auditors look for evidence generated as work happens, not assembled the night before. That means capturing records in the normal flow of work.

  • Log access changes when they happen, including revocations for leavers.
  • Save incident tickets with triage, actions and closure, even for small events.
  • Keep supplier review notes and renewed contracts as you go.
  • Record change approvals in your existing tooling rather than a separate ritual.

Consistency over time is worth more than volume. A steady trickle of dated records beats a wall of documents created in one sitting.

Do not skip management review

Management review is where leadership stays accountable for the ISMS, and it is a common surveillance finding when it lapses. It does not need to be heavy. It needs to happen and to be recorded.

Cover the essentials: risk status, incidents, audit results, supplier performance, objectives and resource needs. Capture decisions and actions. This is also where you decide whether the ISMS still fits the business as it changed over the year.

Treat corrective actions as a live loop

Findings from internal audits, incidents and surveillance need to go somewhere. A corrective action that is opened and never closed is a finding waiting to be repeated.

For each one, record the root cause, the fix, an owner and a date, then verify the fix held. Auditors respond well to a system that finds its own problems and closes them. It signals a living ISMS, not a dormant one.

Bottom line

Keeping ISO 27001 alive is about rhythm, not heroics. A calendar with owners, evidence captured as you work, honest management reviews and closed corrective actions will carry you through surveillance with little drama. If you are heading into your first surveillance audit and are not sure the rhythm has held, a short readiness review can surface the gaps while there is still time to fix them.

Need a second pair of eyes before the auditor does?

A readiness review shows exactly where your ISMS stands - and what to fix first - while there is still time to act on it.