ISO 27001 Surveillance Audit Costs
Getting certified is only the beginning. ISO 27001 certificates require annual surveillance audits in years 1 and 2 of the 3-year certificate cycle, followed by a full recertification audit in year 3. Budgeting for ongoing costs is essential.
3-Year Certificate Cycle
Certification Audit
3-7 audit days
$8,000 to $30,000
Full ISMS scope. Stage 1 documentation review followed by Stage 2 on-site verification. All Annex A controls in scope.
Surveillance Audit 1
1-2 audit days
$2,500 to $8,000
Subset of controls. Focus on high-risk areas, previous nonconformities, changes since certification, and continual improvement evidence.
Surveillance Audit 2
1-2 audit days
$2,500 to $8,000
Different subset of controls from Year 2. Auditors build a complete picture across the 3-year cycle. Evidence of management reviews and internal audits required.
Recertification Audit
2-5 audit days
$6,000 to $22,000
Full scope re-audit. Similar to original certification but often shorter if surveillance has been clean. Resets the 3-year certificate cycle.
What Surveillance Audits Cover
Changes to the organisation
Any significant changes since certification: new products, acquisitions, new data types, staff restructuring, technology changes, or changes to third-party providers. Auditors specifically look for how you managed change within your ISMS.
Previous nonconformities
All major and minor nonconformities from previous audits must be closed with documented evidence. Failure to close nonconformities from prior audits is a common cause of certificate suspension.
Internal audit results
Evidence of the internal audit programme continuing to operate. At least one internal audit per year must be conducted and documented, covering the full scope over the 3-year certificate cycle.
Management review records
Minutes from senior management reviews showing ongoing oversight of the ISMS. Reviews must cover performance metrics, risk assessment results, audit findings, and improvement decisions.
Incident log and response
Records of any information security incidents, how they were managed, and lessons learned. Organisations with no incidents are sometimes asked to demonstrate that their detection capability would surface incidents if they occurred.
Continual improvement evidence
ISO 27001 requires evidence of ongoing improvement, not just maintenance of the status quo. This can include new controls implemented, metrics improving, training records, or risk assessment updates.
How to Reduce Surveillance Audit Cost
- Maintain continuous evidence collection throughout the year rather than scrambling before each audit. Use GRC tooling to automate evidence gathering.
- Conduct your internal audit 6 to 8 weeks before the surveillance visit so any findings can be addressed in advance.
- Keep nonconformity registers up to date with clear closure evidence. Auditors spend much less time when records are tidy.
- Negotiate multi-year surveillance pricing with your certification body at the time of initial certification. Lock in day rates for years 2 and 3.
- Request remote surveillance audits where your certification body permits them. Remote audits are typically 20 to 40% cheaper than on-site visits.
- Prepare a change register documenting all significant changes since the last audit. Presenting this upfront reduces auditor time spent discovering changes.
Consequences of Failing a Surveillance Audit
Minor Nonconformity
30 to 90 days to close with documented evidence. Certificate maintained.
Major Nonconformity
Certificate suspended until root cause analysis and corrective action verified. Potential re-audit.
Certificate Withdrawal
Rare but possible for persistent major nonconformities or non-cooperation. Requires full re-certification.