When does the surveillance audit generally occur?

A surveillance audit is typically performed after an organization has obtained certification to ensure that it continues to comply with the standards set by ISO/IEC 27001. This type of audit is a mechanism for assessing the ongoing adequacy and effectiveness of the Information Security Management System (ISMS). Conducting surveillance audits at regular intervals helps to monitor the system’s performance, verify that the established controls are still effective, and ensures continuous compliance with the standard.

Surveillance audits are generally scheduled annually or at defined intervals following certification to affirm that the organization maintains the required standards and addresses any potential improvements or changes in risk. This process allows the certifying body to ensure that the organization consistently observes the practices outlined in the ISO/IEC 27001 standards, making it essential for sustaining certification.

The timing of a surveillance audit is fundamental as it establishes a routine that fosters an environment of continual improvement and preparedness for any future recertification audits that may occur at the end of the audit cycle.