An ISO (International Organization for Standardization) surveillance audit is an ongoing periodic review of a company’s quality management system or information security management system (ISMS) by a certification body.  The focus of an ISO surveillance audit is to ensure an organization is continuing to comply with ISO standards.  

ISO surveillance audit frequency

An ISO surveillance audit is conducted in years one and two after the initial certification, and also in years one and two following each recertification audit. ISO certification is valid for three years after which the company needs to be recertified. The surveillance audit helps an organization get ready for the recertification process. 

One of the central tenets of the ISO methodology is continual improvement. One way of verifying that companies are adhering to the ISO standards set out by the certification is through annual surveillance audits. 

Larger organizations may need to complete the initial certification ISO audit through a multi-stage approach to ensure that all their individual business units meet the requirements of ISO.

The surveillance audit will always review specific areas that apply to certification audits, such as ISO 27001, the international standard for Information Security Management System (ISMS), and ISO 9001, the international standard that specifies requirements for a quality management system. 

Depending on your organization and the ISO standard or standards for which you are seeking certification, the audit areas may entail:

  • The performance and maintenance of the organization’s systems
  • Preventive and corrective actions and processes 
  • The effectiveness of the organization’s internal auditing process 
  • The implementation of recommendations following the company’s internal audits
  • Regular management reviews of the ISO implementation 
  • Customer satisfaction rates 
  • Updates to the company’s documentation systems.

The surveillance audit will be conducted by an auditor from the company’s certification body. That auditor will check any nonconformities from previous inspections, how effective the company’s systems are within the context of its audits, new activities, and previous results. 

There are many things an organization can do to prepare for an ISO 27001 audit.

Showing evidence of compliance with ISMS policies and procedures

The key elements that ensure the maintenance of a company’s ISMS are the policies and procedures it has developed, approved, and published. Consequently, the organization needs to be sure that it can show the auditor evidence that it is following these policies and procedures.

Understanding the status of risks

The controls that an organization has selected from Annex A of ISO 27001, which provides a list of security controls to be used to improve the security of information, and documented in its Statement of Applicability are driven by the risks from the company’s risk register

Since circumstances that make up these risks change, an organization needs to determine if it has to reconsider its existing controls and/or the way it handles those risks. 

Ensuring documentation is up to date

An organization will have to update its policies and procedures to reflect changes to the organization. The company must demonstrate that its documentation is current and that it has an effective documentation review process in place.

Conducting an internal audit and management review

It’s critical for a company to evaluate the performance and effectiveness of its ISMS to determine compliance, the effectiveness of its controls, and security weaknesses. 

The organization must also make these findings visible to its management team so they can consider the results of the audit as well as the elements of the management review detailed in clause 9.3 of ISO 27001. 

The reason to conduct internal audits and management reviews is to gauge the performance of the ISMS and how the security program aligns with the objectives of the business. 

Working to eliminate the causes of nonconformities

Conducting corrective actions on nonconformities that have been identified in previous audits or day-to-day monitoring is done in two stages. 

The first stage is to take corrective actions to control the situation. The second stage is to implement corrective actions targeting the root causes of the nonconformities to prevent them from happening again.

For additional information, refer to the Guide to ISO Certification and ISO Compliance.