Last Updated on June 19, 2024
Learn about the audits you will face to achieve and maintain certification, what’s involved, and the cost you can expect to pay to achieve and maintain certification
Download our ISO 27001 Audits Guide now!
One of the most common questions we hear in our ISO 27001 practice is:
What audits will I be facing to get and maintain my ISO 27001 certificate?
There are four different ISO 27001 audits you can expect to face to gain and maintain certification:
- Certification audit
- Internal audit
- Surveillance audit
- Recertification audit
Below, you will find a quick overview of the each of the four ISO 27001 audit categories.
ISO 27001 Audits Overview
Certification Audit
This is the first audit performed by the certification body or Registrar and is exactly what the name suggests. If passed, you will receive your ISO 27001 certificate.
- Who conducts ISO 27001 Certification Audits?
Certification body - Certification Audit frequency:
Performed once, when you are first awarded your certificate
Internal Audit
The ISO 27001 standard requires a certified organization to review its information security management system (ISMS) at planned intervals, most often annually. The focus is to ensure that each area of the ISMS is reviewed within the three-year period leading up to recertification. This audit demonstrates top management’s commitment to ensuring the effectiveness of the ISMS, which positions a certified organization for a successful audit by the certification body.
- Who conducts ISO 27001 Internal Audits?
Independent party (internal or external resource) with sufficient expertise - Internal Audit frequency:
Performed once every year
Learn more: Certification Audits vs. Internal Audits
Surveillance Audit
Held in years one and two after initial certification, and also in years one and two following each recertification. The certification body will focus on clauses 4-10 of ISO 27001 and take a risk-based approach to Annex A controls. However, typically all applicable controls are reviewed during a Surveillance Audit to ensure effectiveness of each control.
- Who conducts Surveillance Audits?
Certification body - Surveillance Audit frequency:
Performed in years one and two after certification and recertification audits
Recertification Audit
Held every three years, with the certified organization being required to provide a significant level of detail, artifacts, and evidence. The goal is to continue to demonstrate management’s commitment to and ongoing improvement of the ISMS to ensure its effectiveness.
- Who conducts Recertification Audits?
Certification body - Recertification Audit frequency:
Performed once every three years
For more information, including the costs you can expect with each audit and a sample audit schedule, download our ISO 27001 Audits Guide. It’s a great reference tool for understanding the effort, cost factors, and people involved in gaining and maintaining ISO 27001 certification.