ISO 27001 surveillance audits cause stress in many organizations—and with good reason. If documentation is scattered, responsibilities unclear, and evidence of practical implementation lacking, the audit day can quickly turn hectic and costly. Often, the problem isn’t that things haven’t been done, but that they can’t be clearly demonstrated.
This article walks you through how to prepare for an ISO 27001 surveillance audit so that you know what the auditor is likely to ask, what evidence to gather in advance, and how to organize the day without unnecessary hassle. You’ll get both background information and a concrete action plan you can apply immediately in your own company.
What Does an ISO 27001 Surveillance Audit Actually Mean?
A surveillance audit is a certification maintenance check that verifies your organization’s information security management system (ISMS) is still functioning as planned. It’s not just about documents existing, but about using, updating, and monitoring them in everyday operations.
In SMEs, this usually appears through practical questions. The auditor may want to see, for example, your risk assessment, incident handling, access rights management, or minutes from management reviews. They will also typically want to confirm that agreed-upon practices are actually being followed.
A surveillance audit typically reviews at least the following:
- Whether the scope covered by ISO 27001 is still current
- Whether the risk assessment has been updated within the last 12 months or after significant changes
- Whether internal audits have been conducted as scheduled
- Whether management has reviewed information security status at least once per year
- Whether incidents, observations, and corrective actions are documented and closed within agreed timelines
- Whether selected controls are justified and effectively implemented
Note
An ISO 27001 surveillance audit is not the same as an initial certification audit. The auditor expects the basic structure to be in place and focuses on how the management system operates in practice.
Where Do Companies Usually Stumble?
The most common challenge is not a single missing document but inconsistencies across the system. Your risk register may be updated, but resulting actions aren’t visible in task lists. The access rights process might be described, but accounts for former employees haven’t been removed within 24 hours as the company policy requires.
Another typical problem is over-reliance on one person’s knowledge. If only the information security officer knows how things work, the auditor may conclude the system isn’t embedded in the organization.
Check especially these risk areas before the audit:
- Documented processes that don’t reflect current practices
- Metrics defined but not regularly monitored
- Internal audit findings left unresolved without deadlines
- No evidence of staff information security training within the past 12 months
- Supplier assessments performed once but not updated when contracts change
- Backup in place but no recovery tests done in the last 6–12 months
Warning
A common mistake is preparing only from the documents’ perspective. Without practical evidence like tickets, approvals, logs, or training records, even good documentation remains incomplete.
What Evidence Should You Gather in Advance?
Good preparation means having key materials quickly accessible in one place. Practically, this might be a folder structure, a workspace compiled for the audit, or a system like Tietoturvapankki where documents, tasks, and monitoring appear in one view.
Think from the auditor’s perspective: if they ask about something, can you show the answer in 2–5 minutes? If not, your materials are probably too scattered.
The following table helps highlight what to collect:
| Area to Review | Sample Evidence | Recommended Period | Responsible Person |
|---|---|---|---|
| Risk Management | risk register, treatment plan, approvals | latest version + changes in last 12 months | information security officer |
| Internal Audit | audit plan, report, corrective actions | latest audit cycle | quality or information security officer |
| Management Review | minutes, decisions, metrics, resource decisions | at least once per year | management |
| Access Rights Management | account requests and removals, approvals, checklist | sample from last 3–6 months | IT |
| Incident Management | incident log, root cause, corrective actions | last 12 months | process owner |
| Training and Competence | attendance lists, training materials, acknowledgements | last 12 months | HR / supervisors |
| Supplier Management | assessments, contracts, information security requirements | active suppliers | procurement / IT |
How to Organize the Audit Day Smoothly?
A surveillance audit goes better when the day is scripted in advance. This doesn’t mean rehearsing answers by heart but ensuring the right people are available at the right time and materials can be found without delay.
A good practice is to appoint one main coordinator and 2–4 key personnel responsible for their respective areas. In SMEs, these roles often include management, IT, information security officer, and if needed HR or customer service.
Plan at least the following ahead:
- Hourly audit schedule
- Who attends the opening and closing meetings
- Who presents documents and where they are located
- Who handles technical questions like logs or backups
- How additional requests are handled during the day
- Where the auditor’s observations and follow-ups are recorded immediately
Tip
Hold a 30-minute internal dry run about a week before the surveillance audit. Cover three questions: what is the auditor likely to ask, who answers, and where is the evidence found.
Conduct a 2–4 Week Audit Review
Gather key responsible people and review changes from the past 12 months: new systems, organizational changes, incidents, and open actions. The goal is to identify 3–5 critical risks or gaps that need closing before the surveillance audit.
Update Critical Documents and Ensure Consistency
Check that the risk assessment, scope, applicability statement, internal audit results, and management review are up to date. Make sure documented practices reflect current operations and outdated systems or roles are removed.
Collect Practical Evidence in an Audit Folder
Create a single, clear view or folder structure where you can find requested materials within 2–5 minutes. Include, for example, access requests, examples of removed accounts, training acknowledgments, incident handling, and backup test results.
Prepare Key Personnel to Answer About Their Work
Review each participant’s responsibilities, recent changes, and likely questions. It’s enough if they can clearly explain what is done, the timeline, and how the process is verified.
Agree on Rules and Follow-Up Actions for Audit Day
Assign one person to document observations, additional requests, and deadlines in real time. If the auditor raises an issue, agree on an owner and target date the same day, for example starting corrective actions within 5 business days.
Questions to Prepare Answers For in Advance
The auditor usually doesn’t expect perfect answers but consistent evidence that your organization controls its information security. Prepare short, practical answers for the most common questions.
You can even test these internally before the audit:
- How do you identify and assess information security risks?
- When was the risk assessment last updated?
- How do you ensure access rights for departing employees are closed within 24 hours?
- How is staff trained regarding information security, and how do you show this?
- What happens when an information security incident is detected?
- How does management monitor information security objectives and metrics?
- How do you assess critical suppliers?
- When was the last time backups were tested for recovery?
A good answer is often brief and verifiable. For example: “The departing employee’s manager submits a service request, IT closes the accounts the same workday, and the ticket system records the confirmation.” This is much stronger than a general claim that “we have a process.”
Common Last-Minute Fixes Before the Audit
In the final week, don’t try to rebuild the whole management system. Instead, focus on gaps that most affect the audit’s smoothness and number of findings.
Here is a practical prioritization model:
| Priority | Issue to Fix | Why This? | Target Timeframe |
|---|---|---|---|
| 1 | Open incidents with no owner | Shows lack of control | Assign an owner immediately |
| 2 | Missing management review or internal audit | Core ISO 27001 requirement | Arrange before the audit |
| 3 | Inconsistency between document and practice | Causes additional questions | Update document within 1 week |
| 4 | Missing training evidence | Easy for auditor to check | Gather acknowledgments in 3–5 days |
| 5 | Scattered evidence | Slows audit | Compile folder before the audit |
If you can’t fix everything, be open. Auditors usually value a realistic status and clear improvement plan over rushed superficial fixes.
How Does Tietoturvapankki Make Preparation Easier?
In many SMEs, the biggest challenge is time, not lack of understanding. When documents, tasks, responsibilities, and monitoring are scattered, preparing for a surveillance audit can easily take several workdays. This also increases the risk of missing something important.
Tietoturvapankki is designed specifically for this problem. It combines an application with expert support so that maintaining an ISO 27001 management system isn’t left to scattered Excel sheets or sticky notes. When risks, actions, documents, and audit evidence are managed in one place, preparing for surveillance audits transforms from a project into a routine.
If your organization also applies ISO 9001 quality management, the same mindset supports both systems. Tietoturvapankki is operated by Softapankki Oy and QMClouds Oy, also part of the group that includes Laatupankki, the group’s quality management brand.
Summary
- ISO 27001 surveillance audits go best when documents, evidence, and responsibilities are ready before audit day.
- Pay special attention to risk management, internal audits, management reviews, access rights, and incident handling in the last 12 months.
- A good goal is to find requested materials within 2–5 minutes and demonstrate how practices work in everyday operations.
- Prepare 2–4 key personnel to clearly and evidence-based answer about their processes.
- Avoid last-minute superficial fixes; prioritize critical gaps and document corrective actions realistically.
Need help with information security management?
Our experts are here to assist you.