CALL US 1-888-553-2256

ISO 27001/ISO 22301 Knowledge base

'. get_the_author_meta('first_name'). ' '.get_the_author_meta('last_name').'

Surveillance visits vs. certification audits

Author: Dejan Kosutic

Surveillance visits are very often quite different from (initial) certification audits, so in this post I’ll explain why this is so and what the differences are.

It bears mention here that all the issues I’ll be talking about in this post are not only applicable to certification audits for ISO 27001 and ISO 22301, but also to all other certifiable management standards like ISO 9001, ISO 14001, ISO 20000, etc.

The certification audit and its limitations

During the first (initial) certification audit the certification auditor will check whether all the main elements of the management system are in place – all the documentation, all the required records, all the processes, etc. The auditor will also check whether the main processes are working as they are described in the documentation, but such check will be limited because at that point in time the management system will have been in place for only a few months, or even only a few weeks. (To read more about the certification process, read this blog post: How to get certified against ISO 27001?)

On the other hand, the certificate is issued for a period of three years – so, for instance, if the initial certification audit was performed in November 2012, this means that the certificate will be valid until November 2015. Since the certification body guarantees that the management system will be in place throughout the validity of the certificate, the only way for the certification body to check out whether it really works is to send the certification auditor periodically to check out how things are going. And these are called the surveillance visits – they have to be performed at least once a year, or in some cases they are performed twice a year.

In cases where they are performed once a year, and using the previous example of a certification audit in November 2012, the first surveillance visit would be in November 2013, and the second (and last) surveillance visit in November 2014. After this, in November 2015, the certificate would expire and a company could go for the recertification audit.

The purpose of surveillance visits

So the main purpose of the surveillance visits is for the certification body to find out whether your management system really works in everyday operations, or not. It will focus on things that the certification audit wasn’t able to check: for instance, whether all the incidents are recorded, whether all the measurements are made, whether all corrective and preventive actions are properly recorded and implemented, whether the top management really supports and cares about the system, etc.

A surveillance visit will also focus on issues that were identified as weak in the certification audit or previous surveillance visit – minor nonconformities, as well as areas where the auditor has made some observations.

The point is, during the surveillance visit the certification auditor will pay far less attention to the documents themselves, and far more attention to how the key processes are performed, how they are measured, and how they are improved – in other words, whether your system really works.

So don’t relax after your certification audit is over – the certification body is highly interested in finding out whether your management system is really functioning, and this is exactly what the surveillance visits will be focused on. And this is one more reason why you shouldn’t implement the standard only for the purpose of certification – the idea should be that the procedures and policies are really used in everyday operations.

Click here to join a free ISO 27001 Lead Auditor Online Course where you can learn everything about certification audits.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

3 responses to “Surveillance visits vs. certification audits”

  1. Sanjeewa says:

    How should an organisation be prepared for the ISO 27001 surveillance audit just after the Certification ( First time being certified.)

    • Rhand Leal says:

      The process of surveillance audits do not differ from the
      process followed by the certification audit (only the audit scope
      is smaller, considering only part of the certified scope), so your
      preparations should be the same:

      – Ensure the risk assessment and risk treatment plan are up to

      – Ensure the documents are updated and records are being generated
      and kept

      – Ensure the internal audits are being performed

      – Ensure non conformities and opportunities for improvement are
      closed or on schedule. One difference here is that you also have
      to ensure that non conformities and opportunities for improvement
      from the certification audit report are closed (this is extremely
      important, because failure in this point can result in a major non

      – Ensure the management review was performed and decisions made
      are being carried out

      These materials will also help you regarding surveillance audits:

      – Preparing for ISO Certification Audit: A Plain English Guide

      – ISO Internal Audit: A Plain English Guide

Leave a Reply

Your email address will not be published. Required fields are marked *

Dejan Kosutic
Lead ISO 27001/ISO 22301 Expert, Advisera


Upcoming free webinar
How to integrate GDPR with ISO 27001
Wednesday – September 25, 2019



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.