ISO 27001 Passed. Now What? The 12 Months After Certification That Most Companies Get Wrong

Getting ISO 27001 certified is hard work. Months of gap analysis, risk assessments, policy writing, internal audits, and a two-stage external audit that feels like it examines everything. When it is over and the certificate arrives, the relief is real. That relief is also dangerous.

The organizations that struggle most with ISO 27001 are not the ones that fail to get certified. They are the ones that treat certification as a destination rather than a starting point, and then find themselves scrambling 12 months later when an auditor returns and asks for evidence of things that were never maintained.

This article covers what actually happens after certification, which parts of an ISMS decay fastest, and how to keep your certification intact without building a full-time compliance function.

The Three-Year Cycle Most Companies Do Not Read Carefully

ISO 27001 certificates are valid for three years. That much most people know. What surprises many organizations is what happens during those three years before recertification.

In year one and year two after certification, your certification body will conduct surveillance audits. These are mandatory. They are not optional check-ins. If a surveillance audit is missed or if significant nonconformities are found and not corrected, your certificate can be withdrawn.

Surveillance audits are narrower than the original certification audit. They do not re-examine every clause of the standard. They focus on specific areas: whether nonconformities from the previous audit were addressed, whether internal audits were conducted, whether management reviews took place, whether the risk register has been updated, and whether a sample of Annex A controls are still operating as intended.

The first surveillance audit typically takes place approximately 12 months after initial certification. For most small and medium organizations, it lasts half a day to one full day. That sounds manageable. It is not manageable if the 12 months between certification and surveillance were spent doing nothing.

The Three Things That Break First

Organizations that go quiet after certification tend to discover the same problems when the surveillance auditor arrives. These are not exotic failures. They are predictable.

Internal audits stop happening. ISO 27001 requires internal audits at planned intervals. Many organizations conduct exactly one internal audit, the one that precedes initial certification, and then never run another one. By the time the first surveillance audit arrives, 12 months have passed with no internal audit completed. This is a nonconformity. It is the most common finding at surveillance audits.

The risk register becomes a historical document. Risk assessments were thorough during implementation. Then the company hired new staff, migrated to a new cloud provider, added a third-party integration, or launched a new product. None of these changes were reflected in the risk register, because no one owned that process after the consultant left. An auditor reviewing a risk register that describes the organization as it existed two years ago will flag this as a gap.

Management reviews exist only on paper. ISO 27001 requires management reviews at planned intervals, covering topics like audit results, security incidents, risk assessment status, and ISMS performance. Many organizations run one management review before certification, document it carefully, and then conduct no further reviews until the next audit cycle. When an auditor asks for evidence of management review, they receive a single document from 18 months ago. That is not sufficient.

Internal Audits: What They Are and Who Should Run Them

An internal audit is not the same as a surveillance audit. It is an internal review of whether your ISMS controls are operating as described in your documentation. It needs to happen at least once per year, and it needs to be conducted by someone who is not directly responsible for the areas being audited.

That last point creates a practical problem for small organizations. If your security team has two or three people, and all of them own parts of the ISMS, who audits whom?

Options include rotating audit responsibilities between team members across different control areas, using a structured checklist to ensure objectivity, or engaging an external party to conduct internal audits on your behalf. An external vCISO or GRC partner can fulfill this role, bringing independence and documentation that holds up under scrutiny.

What matters to an auditor is that the internal audit was planned, executed, documented, and that any findings were tracked and addressed. An informal conversation between team members that leaves no record is not an internal audit.

Schedule your internal audit no later than nine months after your certification date. That gives you three months to address findings before your surveillance audit.

Management Reviews: What Needs to Be Documented and Why Evidence Matters

A management review is a formal meeting at which senior leadership reviews the performance of the ISMS and makes decisions about its future direction. ISO 27001 specifies what inputs the review must cover: results of previous audits, security incidents, risk assessment updates, status of objectives, and opportunities for improvement.

The meeting does not need to be long. What it does need is documented evidence that it happened, who attended, what was discussed, and what decisions or actions were taken.

The failure mode here is predictable. A brief informal discussion happens during a leadership meeting. Security topics are raised. Decisions are made. No one writes any of it down because the organization is moving fast and documentation feels like overhead. When an auditor asks for management review evidence, there is nothing to show.

Auditors are not unreasonable. They understand that organizations vary in size and formality. What they cannot accept is an ISMS that claims to have leadership oversight and cannot produce any evidence of it.

A practical solution is to add a standing security agenda item to an existing quarterly leadership meeting. Prepare a one-page summary of ISMS performance covering incidents, audit status, and open risks before the meeting. Circulate it, document the discussion, and file the record. This takes less time than it sounds and produces the evidence trail that surveillance audits require.

How to Keep the ISMS Alive Without a Full-Time Team

Most organizations that achieve ISO 27001 certification do not have a dedicated compliance team. The implementation was often driven by one or two people, possibly with external help, and now those same people have returned to their other responsibilities.

The practical challenge is maintaining a live ISMS when no one has bandwidth to treat it as a full-time job.

A quarterly cadence works better than annual bursts of effort. A rough schedule looks like this:

In the first quarter after certification, focus on distributing ISMS ownership across the organization. Each major control area should have a named owner who is responsible for its upkeep, not just the security lead. Document that ownership formally.

In the second quarter, conduct a mid-year review of the risk register. Has anything changed in the business, the technology stack, or the threat environment that requires a reassessment? Update the register accordingly, even if the updates are minor.

In the third quarter, run your internal audit. Use the output to produce a findings log and assign remediation owners and dates.

In the fourth quarter, conduct the management review using the internal audit results as primary input, and prepare documentation for the upcoming surveillance audit.

This approach distributes the work across the year instead of concentrating it into a frantic month before the auditor arrives. It also produces the kind of ongoing evidence trail that auditors are looking for.

Signs Your ISO 27001 Certification Is Decaying

Before your next surveillance audit, check these indicators:

Your risk register has not been updated since the certification audit. Your last internal audit was the one conducted before initial certification. You cannot name who currently owns each section of your Statement of Applicability.

Security awareness training records exist for the original staff cohort but not for people hired in the past 12 months. Policy documents reference systems or processes that no longer exist. There is no documented record of a management review in the past 12 months. Nonconformities from the original certification audit have not been formally closed.

If more than two of these apply, the gap between what your documentation says and what your organization actually does has grown large enough to produce findings at a surveillance audit. The time to close that gap is before the auditor schedules the visit, not after.

Maintaining Certification Without Building a Compliance Team

ISO 27001 certification does not require a large internal team. It requires consistent execution of a defined set of activities, documented evidence that those activities happened, and someone accountable for keeping the system moving.

For organizations without a dedicated security or compliance function, a virtual CISO or GRC partner can fill that role on a fractional basis. This means having someone who owns the internal audit program, prepares management review documentation, updates the risk register when the business changes, and serves as the point of contact when the surveillance auditor schedules their visit.

ESKA's vCISO and GRC team work with organizations post-certification to keep their ISMS functional year-round, not just in the weeks before an audit. If your organization achieved ISO 27001 certification and is now uncertain whether it will hold up at the next surveillance review, contact us. We can assess where the gaps are and help you close them before they become findings.