ISO 27001
February 2026
Why most ISO 27001 programmes fail their first surveillance audit
By Swapna De., Managing Director, AuditVantage® GmbH
The first surveillance audit arrives twelve months after initial certification. By that point, many organisations discover that the programme they built does not actually reflect how their business operates.
This is not an auditor problem. It is a design problem. Almost always traceable to the same root cause: the ISMS was built around what the standard requires on paper, rather than the organisation's actual risk profile, processes, and people.
The template trap
Policy libraries and compliance templates can get an organisation to a Stage 2 audit. They cannot sustain a programme through its first year of operation. The auditor at surveillance is not looking for the right policies on file, they are looking for evidence that the policies are being followed, that the controls are operating, and that management is genuinely engaged with the ISMS.
A policy that nobody reads and a control that nobody operates are equally useless to a surveillance auditor. The evidence required is evidence of a living system, not a documented one.
Where programmes typically break down
Internal audit not completed. ISO 27001 requires internal audits to be conducted before the surveillance visit. Many organisations complete this too close to the audit date to address findings.
Management review not evidenced. Management review is a Clause 9 requirement. A meeting without minutes, action items, or documented outputs does not satisfy the standard.
Controls not operating. Controls designed at implementation are often not embedded twelve months later. Staff turnover, process changes, and competing priorities erode implementation.
Corrective actions not tracked. Nonconformities from Stage 2 require corrective actions. Surveillance auditors will check that these were addressed.
How to build a programme that holds
The difference between programmes that hold at surveillance and those that do not is almost always the quality of thinking that happened before implementation began. A well-designed ISMS reflects how the organisation actually works, its real processes, its real risk owners, its real operational constraints.
AuditVantage® designs ISMS programmes from the ground up, shaped around your specific risk profile and operations. Get in touch to discuss your situation.
Frequently asked questions
Related questions on this topic, answered from the audit chair.
How long does ISO 27001 certification typically take?+
For most small and mid-sized organisations starting from a moderate baseline, the path from kick-off to a Stage 2 certification decision is six to twelve months. Organisations with strong existing controls and clear scope can move faster. Organisations starting with weak documentation, fragmented operations, or unclear scope typically take longer. The bottleneck is rarely the audit itself; it is the implementation work that precedes it.
What is the difference between ISO 27001 and ISO 27002?+
ISO/IEC 27001:2022 is the certifiable standard. It defines the management system requirements that a certification body audits against. ISO/IEC 27002:2022 is implementation guidance that describes each Annex A control in detail. You certify against ISO 27001. You use ISO 27002 to understand and implement the controls. Reading 27002 alongside the standard is essential; reading it as a substitute for the standard is a common mistake.
How often do surveillance audits happen after certification?+
ISO 27001 certificates run on a three-year cycle. The initial certification audit is followed by annual surveillance audits in years one and two, and a full recertification audit in year three. Surveillance audits are smaller in scope than the initial Stage 2, but they sample core controls and check that the management system continues to operate. Missing or weak evidence at surveillance can result in nonconformities the same as at initial certification.
Can I exclude parts of my business from the ISO 27001 scope?+
Yes. Scope decisions are part of the management system design and the certification body audits the scope you declare. Exclusions must be defensible: they must reflect a real boundary in your operations rather than an attempt to avoid auditing difficult areas. A scope that excludes a function whose information assets are still relevant to certified services will be challenged. Scope is one of the first things a Stage 2 auditor tests.
What happens if I fail the Stage 2 audit?+
Stage 2 produces a finding category for each issue. Minor nonconformities require a corrective action plan and evidence of remediation, but do not block certification. Major nonconformities must be closed before certification can be issued, which usually involves a follow-up audit. Failing Stage 2 is rare for organisations that have done genuine preparation; it is common for organisations that approached Stage 2 as a paperwork exercise.
Does ISO 27001 require specific technology or tools?+
No. ISO 27001 is technology-neutral. It requires that you manage information security risks effectively through controls, processes, and governance, but it does not specify which products, vendors, or platforms you must use. The Annex A controls are outcomes-based. Two organisations can meet the same control through very different technical implementations as long as the outcome is achieved and documented.