Surveillance audit readiness
ISO 27001 does not stop at the certificate. The moment attention moves on, the risk register goes stale, internal audits slip and evidence scatters. Surveillance auditors are specifically trained to find exactly this drift.
Independent advisory. Not a certification body. No certification guarantees.
What surveillance auditors look for
A surveillance auditor already knows your ISMS passed. Their job is to confirm it is still being operated - not just documented. They pull the same artefacts they checked at Stage 2 and ask a single question: has the ISMS moved since then, or has it gone quiet?
The drift problem
Each one is a surveillance auditor finding waiting to happen. All of them are fixable when caught early.
Scores unchanged over a year, no new risks added, no closed risks removed. A surveillance auditor reads this as proof the ISMS is not operating - it is the single most common drift signal.
The annual internal audit is a mandatory clause requirement. A missed cycle is typically a nonconformity on its own, regardless of how strong the rest of the evidence is.
The quarterly or annual access review cadence that got you through Stage 2 often stops the day the certificate arrives. Lapsed reviews leave an evidence gap the auditor cannot ignore.
Records that were indexed and ordered for the certification audit are now spread across Drive folders, Slack threads, spreadsheets and inboxes, with no current index.
The management review done for certification is often the last one. Surveillance auditors ask to see the most recent one - and what came out of it. A missing review is a hard finding.
Supplier and sub-processor reviews that ran before certification have not been repeated. New suppliers have been added without going through the same process.
Surveillance Readiness Check
Lighter than a full Readiness Assessment because you are already certified - targeted at the eight areas a surveillance auditor will probe first.
Risk register currency
Has it been reviewed and updated since certification? Do the scores reflect the current threat and control environment?
Internal audit
Was it performed on schedule? Was it independent? Did it produce findings with a corrective-action trail?
Access review evidence
Were reviews run and documented on schedule? Are there sign-offs, not just confirmation emails?
Management review record
Was it held after certification? Does it discuss real security performance, not just compliance status?
Evidence index
Is the evidence still findable and indexed? Can you walk the auditor through it in sequence?
Supplier and sub-processor oversight
Were new suppliers assessed? Were existing assessments refreshed on cadence?
Corrective actions from certification
Were the nonconformities and observations raised at Stage 2 tracked to closure and evidenced?
SoA currency
Does the Statement of Applicability still reflect the real control environment, or has scope or technology changed?
Maintenance Retainer
A Surveillance Readiness Check closes the drift before the visit. A Maintenance Retainer means the drift does not accumulate in the first place. The retainer covers the ongoing operating discipline across the ISMS lifecycle - risk updates, evidence review, supplier and access reviews, management review preparation and corrective-action tracking - at a cadence that keeps you audit-ready without the overhead of a dedicated internal role.
Surveillance Readiness Check
A one-off focused review before a surveillance visit. Finds what has drifted and gives you a clear list of what to close before the auditor arrives.
Maintenance Retainer
Ongoing monthly support. Keeps the ISMS in a steady state of operating discipline so the next surveillance visit is not a fire drill.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Find what has drifted before the auditor does. A Surveillance Readiness Check takes a focused look at the eight areas most likely to produce a finding.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.