
ISO 27001 Recertification: What Changes After 3 Years?
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript

ISO 27001: Surveillance vs. Recertification
ISO 27001 certification operates on a three-year cycle. Within this cycle, you'll encounter two types of audits.
Surveillance Audit (Years 1 and 2)
Shorter and more focused, but not a quick scan. The auditor will at least assess your internal audits, management review, follow-up on previous findings, complaints, and any scope changes. The auditor will also delve deeper into one specific topic, as the entire standard does not need to be audited. The audit plan is set for 3 years from the initial audit. The auditor takes a sample from Annex A, varying each year rather than auditing all 93 controls at once. The goal is to confirm that your ISMS (Information Security Management System) is maintained and not stagnant.
Recertification Audit (Year 3)
A full audit, comparable to the original certification. The auditor assesses your entire scope against all relevant controls from Annex A, your risk analysis, your Statement of Applicability (SoA), your management reviews, and your internal audits. Based on this, your certificate is reissued for the next three years. There are no Phase 1 and Phase 2 audits, as was the case with your initial audit.
How to prepare for your ISO 27001 recertification or surveillance audit
Step 1. PDCA is an ongoing process
Normally, there shouldn't be a starting point for preparation, as the idea is that the PDCA cycle continuously runs and you always keep your ISMS up-to-date. If you're a bit behind, allow for a six-month preparation period for the recertification audit. Schedule the external audit and work backward from that date.
Step 2. Conduct an internal audit (and take your time)
Chapter 9.2 of the standard mandates internal audits. For recertification, conduct a thorough internal audit of your entire scope, not just what has changed since last year. A good internal audit will uncover findings that would otherwise be identified by the external auditor.
Step 3. Conduct a complete management review
The management review is your dedicated management time. During this, you address risks, performance, incidents, follow-up on previous findings, and changes in scope or context. The external auditor will read the minutes: ensure all Chapter 9.3 topics have been discussed and documented. Need a template? You can download it here.
Step 4. Update open non-conformities, SoA, asset register, and risk treatment plan
Review all findings from previous audits. What is still open? What has been closed, but without verifiable action? Update your SoA with any scope changes, check if your risk analysis and risk treatment plan are up to date, and review your asset register. An SoA from two years ago is a red flag for a recertification audit, and the same applies to an asset register that hasn't been touched since the initial audit.
How much does ISO 27001 recertification cost?
The costs of recertification are usually in the same ballpark as the original audit. You can influence them in three ways:
- Thorough preparation: the better prepared you are, the more efficient the audit days will be. A rigorous internal audit beforehand is your best investment. This allows all employees to return to their daily tasks as quickly as possible.
- Stable scope: scope changes during recertification lead to additional audit hours.
- Certificate Maintenance: regularly maintaining your ISMS prevents last-minute scrambles.
Frequently asked questions
Will I receive an entirely new certificate?
Yes. The old certificate formally expires; the new one is issued for the next three years. Your certificate number usually remains the same: convenient for customer communication and tenders.
What if I receive findings during recertification?
You resolve minor non-conformities within an agreed timeframe. For a major non-conformity, the certifying body will only issue or extend the certificate once the corrective action and evidence of effectiveness have been accepted: usually within 90 days. Often, the auditor will also visit again.
Can I switch certifying bodies during recertification?
Yes, but expect extra work. Depending on the file transfer, a new CB will conduct a transfer review or a full Stage 1 audit. IAF rules mandate this; a 'we'll take it over' without a check doesn't exist.
Do I have to go through Stage 1 and Stage 2 again during recertification?
No. For an already certified organization, a single integrated recertification audit is often conducted instead of two stages. Coordinate this with your CB.
Ready for your recertification?
Recertification is not just a tick-box extension. It's a full assessment. Want to know more?
- Read more about ISO 27001 in our guide
- Schedule a free, no-obligation consultation in





















