The focus of an ISO (International Organization for Standardization) surveillance audit is to ensure an organization is continuing to comply with ISO standards.

For example, after a certification body certifies that a company is compliant with the ISO 9001 standard that defines the requirements for a quality management system (QMS), the ISO examines the organization’s operations every three years to ensure it is continuing to keep up with ISO fundamentals. 

This also applies to ISO 27001 audits and ISO 27002 audits. ISO 27001 is the international standard that describes the best practices for an information security management system. ISO 27001 provides a full list of compliance requirements, while the supplementary standard, ISO 27002 focuses on the information security controls that organizations may decide to implement.  The key difference between ISO 27001 and ISO 27002 is that ISO 27002 is designed to use as a reference for selecting security controls within the process of implementing an Information Security Management System (ISMS) based on ISO 27001.

A certification body, which issues a certificate of compliance for a period of three years, guarantees that the management system will be in place as long as the certificate is valid. The certification body periodically sends an auditor to the company to determine if the management system really works. The auditor has to perform a surveillance audit at least once a year.

See also

Automating GRC: The Next Frontier in Risk Management

The ISO registrar or the auditor from an approved certification body who conducts the surveillance audits will examine the organization’s key QMS processes. The required elements of an audit include a management review, a review of preventive and corrective actions and processes, a review of the company’s internal auditing processes, and a review of the implementation of recommendations following a company’s internal audits.

The auditor’s goal is to determine whether a company’s management system actually works in its day-to-day operations. The auditor will also focus on minor nonconformities, areas of concern identified in the certification audit or previous surveillance audits. An organization should take corrective action to fix all non-conformances.

Typically, minor non-conformances are weaknesses in the QMS system that could potentially lead to a massive QMS failure. Major non-conformances indicate that there’s a significant failure in the quality management system that could keep a company from achieving its objectives or protecting its customers.

Each surveillance audit helps an organization get ready for its recertification audit, which takes place at the end of each three-year certification cycle.

Automating GRC: The Next Frontier
in Risk Management