Why most ISO 27001 programmes fail their first surveillance audit

The first surveillance audit arrives twelve months after initial certification. By that point, many organisations discover that the programme they built does not actually reflect how their business operates.

This is not an auditor problem. It is a design problem. Almost always traceable to the same root cause: the ISMS was built around what the standard requires on paper, rather than the organisation's actual risk profile, processes, and people.

The template trap

Policy libraries and compliance templates can get an organisation to a Stage 2 audit. They cannot sustain a programme through its first year of operation. The auditor at surveillance is not looking for the right policies on file — they are looking for evidence that the policies are being followed, that the controls are operating, and that management is genuinely engaged with the ISMS.

A policy that nobody reads and a control that nobody operates are equally useless to a surveillance auditor. The evidence required is evidence of a living system, not a documented one.

Where programmes typically break down

Internal audit not completed. ISO 27001 requires internal audits to be conducted before the surveillance visit. Many organisations complete this too close to the audit date to address findings.

Management review not evidenced. Management review is a Clause 9 requirement. A meeting without minutes, action items, or documented outputs does not satisfy the standard.

Controls not operating. Controls designed at implementation are often not embedded twelve months later. Staff turnover, process changes, and competing priorities erode implementation.

Corrective actions not tracked. Nonconformities from Stage 2 require corrective actions. Surveillance auditors will check that these were addressed.

How to build a programme that holds

The difference between programmes that hold at surveillance and those that do not is almost always the quality of thinking that happened before implementation began. A well-designed ISMS reflects how the organisation actually works — its real processes, its real risk owners, its real operational constraints.

AuditVantage designs ISMS programmes from the ground up, shaped around your specific risk profile and operations. Get in touch to discuss your situation.