Skip to content
Kellwick
← All articles
Surveillance Audits

How SaaS companies should prepare for a surveillance audit

Certification is a moment. The surveillance audit is where the ISMS proves it actually kept running. Here is what to check in the 90 days before the auditor returns.

By Kellwick Team · June 10, 2026 · 2 min read

Getting certified feels like the finish line. It is not. Roughly a year later, the certification body comes back for a surveillance audit - and this time the question is different. Not "did you build an ISMS?" but "did you actually operate it?"

For SaaS companies moving fast, that is a harder question. The team that got certified is now shipping features, hiring, and firefighting. The ISMS quietly goes stale. The surveillance audit finds it.

Why surveillance audits catch people out

At certification, everyone is prepared. Evidence is fresh, the risk register was just built, policies were just written. A surveillance audit tests the opposite: the boring middle, the year when nobody was watching.

Auditors know this, so they look for signs of a living system versus a frozen one:

  • Has the risk register changed since certification, and why?
  • Did access reviews actually happen each quarter?
  • Were new suppliers assessed as they were onboarded?
  • Did management review happen - with real decisions?
  • Were incidents recorded and closed, or handled in Slack and forgotten?
  • Did last year's minor findings get corrective actions that actually closed?

A frozen ISMS looks identical to a live one on paper. The difference only shows in the evidence timeline.

The 90-day checklist

Do not wait for the audit notice to start. Ninety days out, work through this:

  1. Reconcile the risk register with reality. New product areas, new integrations, new data flows - are they reflected? Have any treatments progressed?
  2. Pull evidence for every recurring control. Access reviews, supplier assessments, backups, vulnerability management. If a control runs quarterly, you should have four records.
  3. Check the SoA against how you actually operate. Cloud setup, tooling and processes drift over a year. Make sure applicability and justifications still match.
  4. Confirm the management loop closed. Internal audit happened, findings were logged, management reviewed them, corrective actions were tracked to closure.
  5. Clear last cycle's findings. Nothing frustrates an auditor like a prior nonconformity that reappears. Confirm each one is genuinely closed with evidence.

The thirty-day view

In the final month, shift from fixing to rehearsing:

  • Sample your own controls at random and try to produce evidence cold.
  • Make sure control owners can speak to their controls - not just that a document exists.
  • Tidy the evidence store so nothing is "somewhere in a DM".

The commercial reason to care

A surveillance nonconformity is not just paperwork. If your certificate is suspended or conditional, enterprise customers notice. Deals that relied on "we are ISO 27001 certified" suddenly need explaining. Keeping the ISMS alive between audits is cheaper than the scramble - and far cheaper than a lost deal.

Bottom line

The surveillance audit rewards teams that treated the ISMS as an operating system, not a certificate on the wall. Ninety days of honest checking turns it from an ambush into a formality. If you are not sure your evidence would hold up, that is exactly the time for an independent readiness review.

Need a second pair of eyes before the auditor does?

A readiness review shows exactly where your ISMS stands - and what to fix first - while there is still time to act on it.