ISO 27001 certification does not expire at the end of a project — it expires if you stop maintaining your ISMS. The surveillance audit, typically scheduled annually by your certification body, is designed to verify that the ISMS is still operating as certified. Organisations that neglect maintenance between certification and the first surveillance audit frequently face significant nonconformities — not because their security has deteriorated, but because the documentation and process evidence has gone stale. A compliance calendar prevents this.
What Changes After Certification
Immediately after receiving your certificate, the pressure that drove implementation activity tends to dissipate. The project team moves on. The ISMS owner's time gets allocated to other priorities. Without a structured maintenance programme, the risk register goes unreviewed, policies go un-updated, and corrective actions from the internal audit remain open. None of this is obvious until the surveillance auditor arrives and asks for evidence that has not been generated.
The three-year certificate cycle includes annual surveillance audits (years 1 and 2) and a full recertification audit in year 3. Surveillance audits are typically one to two auditor days and focus on whether the ISMS continues to operate and whether previous findings have been addressed. Recertification is closer to the original Stage 2 in scope. Both require current, evidenced ISMS activity — not just the documentation produced during initial certification.
The Annual Compliance Calendar
- · Formal review with senior management
- · Set ISMS objectives for the year
- · Review corrective action status
- · Cover all clauses 4–10
- · Sample Annex A controls
- · Raise corrective actions
- · Review & version all policies
- · Security awareness training
- · Close Q2 corrective actions
- · Update risk register
- · Gather surveillance evidence
- · Prep Q1 management review
Q1: Management Review
The management review is required by Clause 9.3. It is a formal review of the ISMS by senior management, covering the status of the ISMS, performance against objectives, audit results, risk assessment outcomes, opportunities for improvement, and any changes that affect the ISMS. This is not an informal discussion — it must be documented with a signed record showing who attended, what was discussed, what decisions were made, and what actions were assigned.
Q1 is the natural time for this review because it allows you to look back at the previous year's performance and set objectives for the year ahead. Schedule it as a fixed calendar event — preferably with a standing agenda template — so it does not drift into Q2 or Q3.
Q1 tasks:
- Conduct and document the management review
- Review the status of corrective actions from the previous year
- Set measurable ISMS objectives for the current year
- Review and update the ISMS scope if the organisation has changed
- Confirm the information security policy is still appropriate and re-sign if updated
Q2: Internal Audit
The internal audit (Clause 9.2) must be conducted at least annually. Scheduling it in Q2 gives you enough time to close corrective actions before Q4 evidence gathering — and before a surveillance audit that might be scheduled in Q4 or early the following year. Running the internal audit too close to the external surveillance audit leaves insufficient time to address findings.
Q2 tasks:
- Plan the audit programme (what will be audited, by whom, when)
- Conduct the audit across all ISMS clauses and applicable Annex A controls
- Produce the internal audit report with findings categorised as conformities, observations, or nonconformities
- Raise corrective actions for all nonconformities, with owners and target dates
- Begin closing corrective actions — do not leave them all for Q3
Q3: Policy Review Cycle
Policies must be reviewed at planned intervals. Annual review is the standard expectation. Q3 is the right time because it is far enough from the Q1 management review that changes are possible, and early enough that updated policies are in place before year-end evidence gathering. Policy reviews do not need to result in changes — a documented review that confirms no changes are required is valid. What is not valid is a policy with a review date that has passed without any recorded review.
Q3 tasks:
- Review all ISMS policies — update version numbers and review dates
- Close corrective actions from Q2 internal audit
- Conduct or verify completion of annual security awareness training for all staff
- Review supplier contracts and security assessments — flag any that are due for renewal
- Check that the asset register is current
Q4: Risk Assessment Update and Evidence Gathering
The risk assessment must be reviewed at planned intervals and when significant changes occur. An annual review is the minimum. Q4 is the natural time for this — it captures the full year's context and feeds into the Q1 management review. The risk register review should reflect any changes in the threat landscape, new services or products, new suppliers, incidents from the year, or changes in the organisation's operating context.
Q4 tasks:
- Review and update the risk register — re-score risks, add new scenarios, close obsolete ones
- Confirm that the Statement of Applicability is current — update for any control changes
- Gather evidence for the surveillance audit: training logs, access reviews, patch records, incident logs, backup test records
- Confirm all corrective actions from the internal audit cycle are closed
- Prepare the management review agenda and inputs for Q1
The most common reasons organisations lose ISO 27001 certification or receive major nonconformities at surveillance are: no management review conducted in the past 12 months, internal audit overdue, risk register unchanged since initial certification, and corrective actions from previous audits still open. All four of these are calendar failures, not security failures. A structured annual plan prevents all of them.
Key Documents to Keep Current
- Information security policy — reviewed and version-controlled annually
- Risk register — reviewed at least annually and after significant changes
- Statement of Applicability — updated when control applicability changes
- Internal audit programme and reports — conducted and reported annually
- Management review minutes — at least annually
- Corrective action log — maintained with open and closed status
- Training records — showing all staff have completed current awareness training
- Supplier register — current contracts, last security assessment dates
Common Reasons Organisations Lose Certification
Certificate withdrawal is rare but it does happen. The common causes are: a surveillance audit that reveals the ISMS has effectively ceased operating (no internal audit, no management review, no risk register activity); major nonconformities raised at surveillance that are not closed within the agreed timeframe; and organisations that change their scope significantly without notifying the certification body and obtaining approval.
Less dramatically, many organisations let their certificate lapse by not scheduling the surveillance audit in time. Certification bodies typically send reminders, but the responsibility for scheduling rests with the certificate holder. Put the surveillance audit window in your calendar immediately after certification — typically 10 to 14 months after your certificate issue date.
If maintaining your ISMS alongside other business priorities is challenging, our ongoing compliance support service handles the structured review processes, policy updates, and audit preparation on a retained basis. Or start with our maintenance documentation templates to ensure you have the right records in place.