Top 5 questions to assess your readiness for ISO 27001 surveillance audit


Congratulations, your company is now certified to ISO 27001. But if you thought that your job was over and that you have reached the endpoint of your journey towards a secured organisation, you’re wrong! The real job has just begun and you might need to prepare for a bumpier ride.

In twelve months’ time, the certifying body will come back and perform a surveillance audit to verify the validity of the information security management system (ISMS). This time the auditors will look for the maintenance of the ISMS and steps that have been taken to make improvements to the system. Here are 5 questions that can guide you in assessing your readiness for the surveillance audit:


  1. Are you continuing to “walk the talk?” The policies and procedures that you have painstakingly developed, approved and published are key elements ensuring the maintenance of your ISMS. Your governance structure, processes, including roles and responsibilities are described in these documents. You were assessed against the commitments that were so eloquently defined in these pages and will continue to be so in subsequent audits. Evidence of implementation of these policies and procedures will churn out records and the existence, or lack thereof, will be tell-tale signs of how you will fare. Word of caution: do not fabricate records! Auditors have very keen senses to detect fraudulent evidences.
  2. Do you know the status of your risks? The controls that you have selected from Annex A of ISO 27001 and documented in your Statement of Applicability (SoA) are driven by the risks from your risk register. Circumstances that make up these risks change – the business landscape and mode of competition, threats may become more imminent, vulnerabilities may be reduced, or even the value of the asset you are securing may have become insignificant. These changes may mean that your existing controls may not be enough, excessive or your options for treatment may have to be reconsidered. For instance, you might find that transferring some of your security risks to a managed security service provider may be more economical while enhancing your capabilities and allowing your organisation to focus on core competencies.
  3. Have you kept your documentation up to date? Changes to the organisation and the outcome of implementation of your ISMS will require update of your documented policies and procedures. Updates may be “cosmetic” – document formatting and style; “hygienic” – document referencing, location and ownership; or “substantive” – significant change in the content and or context of the document. Control of changes to your documented information will need to be demonstrated as well as the effective implementation of your document review process to ensure suitability and adequacy.
  4. Have you done an internal audit and management review? Evaluating the performance and effectiveness of your ISMS is crucial to determining compliance, effectiveness of controls, security weaknesses, and making these findings visible to your management team. Internal audits must be scoped out according to importance of the processes, risks, and results of previous audits. Management review needs to consider the results of the audit as well as the elements set out in section 9.3 of ISO 27001. Be mindful that the purpose of conducting internal audits and management reviews is to gauge the performance of the ISMS and how the security program fulfils and may be ensured to align with organisational objective.
  5. Did you aim at eliminating the causes of non-conformities? Performing corrective actions on non-conformities identified from audits or day-to-day monitoring is done in two stages. First stage is to implement corrections by taking actions to control the situation and deal with the consequences. The second stage is to implement actions targeting the root causes of the non-conformity with the objective of preventing recurrence.


Surveillance audits are performed by the certifying body annually. Being certified means that you have an external partner in mission that checks the health of your ISMS periodically and helps determine opportunities for improving your security posture. Your certification is a product of the processes you have put in place to fulfil your organisation’s mission to protect its information assets. Certified or not you are maintaining your ISMS to fulfil your company’s objectives and these questions may be used to guide you in your journey.

Elmer Cruz

Senior Security Specialist

We use cookies on this site to provide you with a better user experience. Read More