An ISO surveillance audit is an audit of your business that happens after you achieve compliance with an ISO standard, to assure that you still follow that standard’s expectations across time. In other words, a surveillance audit is meant to confirm that your organization is still living up to the promises it made when you first received ISO certification sometime in the past.

Take ISO 9001, the ISO standard for quality management systems, as an example. To comply with ISO 9001 a company must first undergo an initial audit by an accredited ISO auditor. Once you pass that audit you can be certified as ISO 9001-compliant, and that certification lasts for three years. 

Surveillance audits would then happen in the next two years of that three-year period. In the third year, your original certification expires, and the process starts all over again with a recertification. 

The same principle applies to ISO 27001 and ISO 27002 audits. ISO 27001 serves as the international standard for an information security management system (ISMS). In contrast, ISO 27002 focuses on the specific information security controls that organizations may choose to implement. The primary distinction between the standards is that ISO 27002 is intended as a reference guide for selecting security controls when establishing an ISMS based on ISO 27001.

What are some of the benefits of a surveillance audit?

Surveillance audits are required as part of ISO compliance, so if you’re serious about embracing ISO standards you have little choice other than to accept them. That said, surveillance audits do have other benefits, too. 

Continuous compliance. Surveillance audits assure that an organization’s compliance with established standards or regulations is ongoing. This helps maintain the integrity of the quality management system and confirms that the organization consistently meets the required standards.

Issue identification and risk mitigation. By identifying and addressing minor non-conformities or issues during surveillance audits, organizations can take corrective actions promptly, reducing the likelihood of more significant compliance or quality problems in the future.

Improved performance. Ongoing surveillance and regular assessments lead to better organizational performance. They allow for continuous refinement of processes, increased efficiency, and a focus on continuous improvement.

Customer confidence. Organizations that consistently demonstrate their commitment to maintaining compliance through surveillance audits can instill greater confidence in their customers. This can lead to increased customer satisfaction and loyalty.

Cost reduction. The sooner you identify a non-conformity or deficiency, the sooner you can rectify that situation — before the issue becomes a significant problem that will likely cost more money to fix.

These benefits support an organization’s commitment to quality, compliance, and excellence in its operations.

How does the certification audit cycle work?

The certification audit cycle is a structured process that organizations undergo to achieve and maintain certification for compliance with specific ISO standards or regulations. This cycle typically consists of three key phases: the initial certification audit, surveillance audits, and recertification audits.

The first phase is the initial certification audit. An accredited auditor evaluates the organization’s processes, procedures, and systems to determine whether it meets the requirements of the chosen standard. This initial audit is comprehensive and often serves as a baseline assessment. If the organization successfully demonstrates compliance with the standard, it is awarded certification, typically valid for a specific period, often three years.

Following the initial certification audit, organizations enter the surveillance audit phase. Surveillance audits are periodic assessments that occur at regular intervals, such as annually or semi-annually, throughout the certification cycle. The purpose of surveillance audits is to verify that the organization continues to uphold the standard’s requirements. These audits are typically less extensive than the initial certification audit but still cover essential aspects of compliance.

The final phase of the certification audit cycle is the recertification audit. This audit takes place at the end of the certification period, typically three years after the initial certification. It is similar in scope to the initial certification audit and serves to reevaluate the organization’s compliance with the standard. To maintain certification, the organization must once again demonstrate that it meets the standard’s requirements.

The certification audit cycle is a continuous process to assure that organizations not only attain compliance, but also sustain it over time. It provides a structured framework for ongoing assessment and improvement. Successful completion of this cycle allows organizations to demonstrate their ongoing commitment to quality, compliance, and best practices. That, in turn, can enhance the company’s reputation, foster customer trust, and drive operational excellence. This cycle helps organizations stay competitive in their industries and adapt to evolving standards and regulations.

What should I expect during an ISO surveillance audit?

During a surveillance audit, either the ISO registrar or an auditor from an accredited certification body examines the organization’s key processes. This assessment encompasses several essential elements, including a management review, an evaluation of preventive and corrective actions and processes, scrutiny of the company’s internal auditing procedures, and an examination of the implementation of recommendations following internal audits.

The primary objective of the auditor is to ascertain the functionality of the company’s management system within its day-to-day operations. Moreover, the auditor pays particular attention to identifying minor non-conformances, which are areas of concern detected during the certification audit or previous surveillance audits. It is incumbent upon the organization to address and rectify all non-conformances.

Take ISO 9001 as an example. Minor non-conformances typically signify weaknesses in the quality management system that could potentially culminate in a significant QMS failure. Major non-conformances, on the other hand, indicate substantial failures within the quality management system, which could hinder the organization from achieving its objectives or safeguarding its customers.

Each surveillance audit serves as a preparatory exercise for the organization’s impending recertification audit, which occurs at the conclusion of each three-year certification cycle. This meticulous evaluation process assures that organizations continue to uphold the high standards set by ISO, promoting the consistent delivery of quality products and services while safeguarding information security.

How do I prepare for an ISO surveillance audit?

Preparing for an ISO surveillance audit is crucial to ensure a successful audit outcome and ongoing compliance with ISO standards. Here are some essential practices so that can you prepare effectively:

Review previous audit findings. Start by reviewing the findings and corrective actions from previous surveillance audits. Assure that all identified non-conformances and corrective actions have been appropriately addressed and resolved. This demonstrates your commitment to continuous improvement.

Update documentation. Confirm that all documentation related to your ISO management system is up-to-date and accurate. This includes policies, procedures, work instructions, and records. Make sure any changes in processes or systems are reflected in the documentation.

Conduct internal audits. Prior to the surveillance audit, perform internal audits of your quality management system. This helps to identify any potential issues or non-conformances that may need corrective action before the surveillance audit.

Employee training. Assure that all employees are aware of their roles and responsibilities related to the ISO management system. Training and awareness are essential components of maintaining compliance.

Documented information. Prepare all the necessary documented information required for the surveillance audit. This includes records of past surveillance audits, corrective actions, and evidence of ongoing compliance.

Management review. Conduct a thorough management-level review of your ISO management system. This includes assessing the system’s effectiveness, identifying opportunities for improvement, and addressing any strategic or organizational changes.

Pre-audit meeting. Schedule a meeting with the audit team or the lead auditor before the actual surveillance audit begins. This allows you to discuss the scope of the audit, clarify any questions, and understand the audit process better.

Check for regulatory changes. Verify that your processes and documentation are aligned with any changes in ISO standards or relevant industry regulations. Staying updated with the latest revisions and requirements is crucial for compliance.

Corrective actions. Be sure to implement any pending corrective actions from previous audits, and that those actions are effective. Provide evidence of these corrective actions during the surveillance audit.

Auditor familiarization. Make sure that the audit team is familiar with your organization’s processes, structure, and specific requirements. Provide them with access to the areas they need to audit and any necessary documentation.

Employee awareness. Communicate to all relevant employees that a surveillance audit is approaching. Stress the importance of cooperation and adherence to the ISO management system during the audit period.

Simulation exercises. If possible, conduct mock or simulation audits to prepare employees for the audit process and to identify any potential gaps in compliance.

Documentation access: Ensure that the audit team has easy access to all relevant documentation and areas they need to audit. Make it as convenient as possible for them to review your processes.

Open communication. Encourage open communication with the audit team. Answer their questions honestly and provide any necessary information promptly during the audit.

By following these steps and maintaining a rigorous approach to ISO compliance, you can better prepare for a surveillance audit and increase the likelihood of a successful audit outcome. This approach not only assures ongoing compliance but also contributes to the continuous improvement of your quality management system.

Maintain compliance with ZenGRC

Maintaining ISO surveillance compliance is a complex and ongoing process that requires robust management and monitoring of an organization’s quality management system. ZenGRC provides an effective and streamlined solution for ensuring continued compliance with ISO standards. 

Through its comprehensive suite of tools and features, ZenGRC simplifies the process of preparing for and undergoing surveillance audits. It enables organizations to maintain up-to-date documentation, track corrective actions, and schedule internal audits, all within a single, user-friendly platform. 

With ZenGRC, organizations can not only achieve initial certification but also consistently demonstrate their commitment to compliance, fostering trust among stakeholders and ensuring operational excellence in line with ISO standards.

The focus of an ISO (International Organization for Standardization) surveillance audit is to ensure an organization is continuing to comply with ISO standards.

For example, after a certification body certifies that a company is compliant with the ISO 9001 standard that defines the requirements for a quality management system (QMS), the ISO examines the organization’s operations every three years to ensure it is continuing to keep up with ISO fundamentals. 

This also applies to ISO 27001 audits and ISO 27002 audits. ISO 27001 is the international standard that describes the best practices for an information security management system. ISO 27001 provides a full list of compliance requirements, while the supplementary standard, ISO 27002 focuses on the information security controls that organizations may decide to implement.  The key difference between ISO 27001 and ISO 27002 is that ISO 27002 is designed to use as a reference for selecting security controls within the process of implementing an Information Security Management System (ISMS) based on ISO 27001.

A certification body, which issues a certificate of compliance for a period of three years, guarantees that the management system will be in place as long as the certificate is valid. The certification body periodically sends an auditor to the company to determine if the management system really works. The auditor has to perform a surveillance audit at least once a year.

See also

Automating GRC: The Next Frontier in Risk Management

The ISO registrar or the auditor from an approved certification body who conducts the surveillance audits will examine the organization’s key QMS processes. The required elements of an audit include a management review, a review of preventive and corrective actions and processes, a review of the company’s internal auditing processes, and a review of the implementation of recommendations following a company’s internal audits.

The auditor’s goal is to determine whether a company’s management system actually works in its day-to-day operations. The auditor will also focus on minor nonconformities, areas of concern identified in the certification audit or previous surveillance audits. An organization should take corrective action to fix all non-conformances.

Typically, minor non-conformances are weaknesses in the QMS system that could potentially lead to a massive QMS failure. Major non-conformances indicate that there’s a significant failure in the quality management system that could keep a company from achieving its objectives or protecting its customers.

Each surveillance audit helps an organization get ready for its recertification audit, which takes place at the end of each three-year certification cycle.

Automating GRC: The Next Frontier
in Risk Management