Your complete guide to a successful ISO surveillance audit

Maintaining compliance after achieving an ISO certification involves more than a one-time effort. Surveillance audits are an essential part of this process, helping companies ensure that their management system continues to meet ISO standards. 

In this blog post, we’ll explore surveillance audits, how they differ from other audits like certification and recertification, and what medium—to large organizations can expect from the process. For any business prioritizing information security, quality management, or compliance, understanding surveillance audits is a proactive step toward maintaining ISO certification and continually improving its information security management system (ISMS).

Understanding surveillance audits

Surveillance audits are inspections carried out to ensure compliance with established management protocols. They differ from initial certification audits, which aim to bestow certification. 

Instead, surveillance audits concentrate on verifying the sustained efficacy of an Information Security Management System (ISMS). The core purpose of these surveillance visits is to validate that organizations persist in meeting ISO standards requirements. Functioning as critical follow-up assessments, they underscore continual adherence and enhancement and are conducted annually over the course of two years. The first year is a full audit, the second and third years are surveillance audits, and the following year is a full audit again. 

Why surveillance audits are essential for ongoing compliance

A surveillance audit is a routine review conducted by a certification body to confirm that a company’s information security management system (ISMS) still complies with ISO standards. 

Surveillance audits occur after the initial certification audit and are typically scheduled every 12 months for ISO 27001 and other certifications. (This contrasts with a recertification audit, which occurs after three years). Surveillance audits are part of a continuous evaluation process that ensures companies uphold ISO requirements over time and maintain information security management practices.

These audits are crucial for medium and large companies. They confirm the effectiveness of key processes and help organizations identify areas for continual improvement. Surveillance audits are not just requirements—they’re tools for supporting ongoing quality and risk management, especially for companies with sensitive data or strict compliance obligations.

How does the surveillance audit process work?

The surveillance audit process involves several structured steps; each focused on evaluating key elements of an organization’s management system to ensure ongoing compliance. Here’s a detailed look at the typical stages in the audit process:

Audit planning

Before the audit, the certification body sends a schedule outlining the primary areas and key processes that will be reviewed during the surveillance visit. Proper planning helps the organization prepare for the specific auditing process.

Document review

During the document review stage, auditors thoroughly examine policies, procedures, and records established since the original certification audit. They: 

• Look for alignment with ISO standards, verifying whether the management system documentation is up-to-date.
• Look for any changes in the environment from the last audit and improvements.
• Look for issues that needed to be resolved from the last audit to ensure they’ve been fixed.
• Look for any material changes to the environment to ensure the scope of certification hasn’t changed (or needs to be updated).
• Assess incident reports to confirm that effective preventive and corrective actions were applied in response to any prior non-conformities. 

This evaluation process ensures that the information security management system (ISMS) documentation aligns with current ISO standards.

On-site audit

In this phase, auditors conduct an on-site audit to validate that the management system is implemented effectively. Keep in mind Surveillance Audits are not full audits.  It is a very scaled-down version just basically ‘spot checking’ to ensure things are still working as expected. Auditors usually:

• Conduct interviews with employees
• Inspect protocols
• Observe the practical application of procedures
• Review incident management and other operational protocols, assessing the organization’s capacity to handle security incidents and breaches. 

The goal is to confirm that what’s documented aligns with what’s practiced, ensuring the internal audit processes match the ISO requirements.

Audit report

After the on-site evaluation, the auditors compile an audit report outlining their findings. This report includes: 

• Details on any non-conformities
• Recommended preventive and corrective actions, and 
• Observations that support continuous improvement 

If significant issues are discovered, the organization may need to address them promptly to maintain ISO certification status.

Throughout the process, the auditor evaluates the organization’s adherence to ISO standards and highlights any potential gaps. If non-conformities are identified, the organization must implement corrective actions within a set timeframe to uphold its certification. This continuous evaluation process supports organizations in ensuring their systems remain compliant and geared toward continual improvement.

How to prepare for a surveillance audit

To ensure a smooth surveillance audit process, organizations should maintain a state of constant audit readiness. Preparation involves regular internal audits, thorough documentation updates, employee training, and leveraging compliance software. Here’s a breakdown of how to prepare effectively:

Conduct internal audits

Regular internal audits are essential for identifying non-conformities within the organization’s management system before the official audit. These audits serve as self-assessment tools, allowing for a proactive evaluation of processes and controls. 

By conducting frequent internal assessments, the organization can address potential issues in advance, fostering a culture of continuous improvement and dedication to compliance standards. Internal audits are invaluable in upholding quality management principles and ensuring that all internal auditing processes align with ISO standards.

Steps for conducting successful internal audits

Conducting an effective internal audit is crucial for assessing the alignment and efficiency of an organization’s management system. A well-structured internal audit process verifies ISO 27001 compliance and identifies key objectives that drive organizational improvement and uphold high standards in information security management.

Here’s how:

• Setting clear objectives: The first step in any successful internal audit is setting clear, measurable objectives. These goals should align with the organization’s broader objectives and relevant ISO standards to support consistent progress. Clear objectives also help the audit team assess how well past audit recommendations have been applied and how they contribute to strengthening the Information Security Management System (ISMS).
• Conducting a risk assessment: Risk assessment allows the audit team to allocate resources to the processes most likely to impact compliance and operational efficiency. By focusing on these critical risks, the organization can take preventive actions to address vulnerabilities before they escalate. Documenting and communicating these findings across the team ensures the proper corrective actions are taken.
• Evaluating past recommendations and corrective actions: An essential component of the internal audit is examining how well recommendations from past audits have been implemented and evaluating their effectiveness in addressing prior non-conformities. This approach emphasizes continuous accountability and improvement.
• Fostering continuous improvement: Internal audits serve as a tool for continuous improvement. The insights from these audits provide actionable steps for refining the organization’s management system and addressing any identified gaps. By regularly reviewing and enhancing corrective actions and updating processes as necessary, organizations can promote an ongoing culture of quality improvement. 
• Effective communication and documentation: Documenting internal audit findings comprehensively and communicating them clearly across relevant departments is vital for impactful follow-up actions. Such transparent communication keeps team members informed and enables management to implement necessary adjustments.

By following these steps, organizations can maximize the benefits of their internal audits, enhance their management systems, and drive ongoing compliance and operational efficiency improvements.

Review and update documentation

Up-to-date documentation is critical to demonstrate audit readiness. Comprehensive records, including management reviews, policy changes, and corrective actions taken since the last audit, should be readily accessible. 

During the document review phase, auditors will check that all documentation reflects the current state of the organization’s management system. This documentation should include quality manuals, incident logs, and management review documents, all of which should show an accurate history of actions taken to maintain compliance. 

Maintaining current and accurate documentation is vital for an efficient audit experience.

Train and prepare employees

Employees should be informed and engaged in compliance efforts. Employee awareness is vital, as auditors may conduct interviews to assess how effectively compliance protocols are understood and applied at various organizational levels. 

Regular management review meetings and ongoing training sessions help keep employees up-to-date on their roles and responsibilities within the management system. This is particularly crucial in remote organizations, where department leaders should clearly define their compliance strategies, ensuring every employee adheres to established protocols and understands the significance of their role in maintaining certification standards.

Use compliance software

Leveraging compliance software (like Thoropass!) can significantly enhance audit preparedness. These platforms aid in managing documentation, tracking deadlines, and generating necessary reports, helping organizations stay organized and proactive.

Compliance software automates key tasks, such as document updates and audit trail management, reducing the administrative burden on teams and enabling a more efficient audit process. By streamlining documentation and maintaining records in one centralized location, compliance software fosters consistent audit readiness and supports continuous improvement efforts.

How Thoropass can help

Compliance software is pivotal in supporting organizations through the surveillance audit process, especially for medium and large companies managing extensive compliance requirements. With its robust features, compliance software can simplify audit preparation and enhance quality management across the organization. 

For example, Thoropass is a comprehensive compliance platform that streamlines key aspects of audit preparation, allowing companies to save time and resources while ensuring ISO standard compliance. Here’s how compliance software, including Thoropass, assists in critical areas of surveillance audits:

• Document management: Thoropass offers centralized document management, enabling teams to track changes, maintain updated records, and organize essential documents in a single, accessible location. This functionality simplifies document review, especially during the audit process, by allowing auditors to locate and verify policies, procedures, and other documentation efficiently. 
• Continuous evaluation and reminders: Tracking surveillance audits, internal audits, and management reviews can be challenging without automated support. Thoropass automates reminders for upcoming audits and regulatory updates, enabling teams to stay on top of compliance requirements. This proactive feature helps prevent last-minute preparation stress and ensures your organization remains audit-ready year-round.
• Generating audit-ready reports: With tools like Thoropass, organizations can create comprehensive audit reports that compile relevant data, summarize findings, and highlight areas of compliance. These reports are formatted and structured for ease of review, ensuring auditors have all necessary information at their fingertips. 
• Streamlined corrective actions and continuous improvement: Thoropass enables organizations to track and document corrective actions, ensuring they are effectively implemented and monitored over time. 
• Enhanced collaboration across teams: Compliance software like Thoropass provides tools that allow teams to assign tasks, share updates, and communicate audit-related information in real time. This collaborative framework ensures that every department is aligned with compliance objectives and that roles and responsibilities are clearly defined throughout the audit process.

For medium and large companies, using compliance software like Thoropass can save time, reduce resource expenditure, and mitigate risk. By centralizing compliance management and offering a comprehensive suite of tools, Thoropass empowers organizations to maintain ISO compliance with efficiency and confidence, ensuring they are consistently audit-ready. Ready to see how it works? Check it out here.

Common findings and corrective actions in surveillance audits

Surveillance audits often uncover recurring issues such as documentation gaps, unaddressed non-conformities, or inadequate management system controls. Proactively addressing these issues can lead to smoother audits and sustained compliance. Here are a few examples of common findings and their remedies:

Outdated documentation

One frequent finding is outdated documentation. To address this, ensure that your Information Security Management System (ISMS) policies and procedures are current and accurately reflect recent process improvements. Regular updates and reviews of documentation are essential to maintain compliance and effectiveness.

Lack of preventive actions

Surveillance audits often emphasize the importance of preventive and corrective actions. Establishing these practices not only aids in compliance but also reduces risks in future audits. Implementing a robust system for identifying potential issues and applying preventive measures can significantly mitigate non-conformities.

Inadequate internal audits

As we saw above, internal audits are crucial for strengthening the continuous improvement framework, a key focus of surveillance audits. Conducting routine internal audits helps identify potential issues early, allowing for timely corrective actions and fostering a culture of ongoing enhancement.

Organizations can proactively manage compliance issues by addressing these common findings with effective preventive and corrective actions, preventing them from escalating into more significant risks. This approach ensures smoother surveillance audits and enhances the overall quality and reliability of management systems.

Addressing non-conformities in surveillance audits

Swiftly managing non-conformities found in surveillance audits is crucial for ISO compliance and continual improvement. Organizations should act promptly, implementing corrective and preventive measures with structured follow-up to enhance their Information Security Management System (ISMS). Here’s how to address non-conformities effectively:

Immediate actions

Minor non-conformities, such as documentation gaps, should be corrected quickly, while major ones require immediate attention before any follow-up audit. After the audit, management should prepare a corrective action plan outlining steps to resolve these issues and assign responsibility to specific team members.

Corrective and preventive actions

• Corrective actions target the root causes of existing non-conformities to prevent recurrence. For example, this might include retraining or procedural updates. 
• Preventive actions address potential issues, helping to mitigate future risks. Conducting a risk assessment can prioritize critical areas, ensuring focused attention on high-impact gaps.

Follow-Up

Continuous monitoring verifies that corrective and preventive actions are effective. This includes root cause verification, regular assessments to confirm sustained improvement, and thorough documentation to support future audits.

Organizations can maintain compliance and reinforce their management systems through immediate action, targeted corrective and preventive steps, and diligent follow-up, driving ongoing improvement and resilience.

Frequently asked questions

---