Certification day feels like the end of the journey. The Stage 2 audit is done. The certificate is issued. The news goes on the website, the LinkedIn announcement gets forty-seven likes, and the security team allows itself a moment of quiet satisfaction.

Then six months pass, and nobody has updated the risk register. The management review that was supposed to happen in Q4 got pushed to Q1 and then quietly forgotten. Two new systems have been deployed that are not in scope. The information security policy references the old standard. And the surveillance audit is seven weeks away.

This is the most common story in enterprise information security, and it plays out across organisations of every size. Certification is treated as the objective. Maintenance is treated as an afterthought.

This post is a direct account of what ISMS maintenance actually requires — and why the organisations that take it seriously end up with something far more valuable than a certificate.

Why ISMS Programmes Lose Momentum After Certification

The certification journey has a natural urgency. There is a deadline, a defined output, and external accountability — the certification body’s audit. That combination drives activity. People attend meetings, documents get written, evidence gets collected, because there is a clear and visible consequence for not doing those things.

After certification, that external pressure is replaced by a self-managed cycle. The organisation is expected to run the ISMS continuously, update it as circumstances change, audit it internally on a planned schedule, and present evidence of ongoing operation at surveillance audits. There is no countdown timer. There is no external project manager. And in many organisations, there is no dedicated resource to keep the momentum going.

The result is predictable. The ISMS becomes a documentation library. Controls that were operating during the certification push quietly stop being maintained. Evidence stops being collected. The surveillance audit catches up with the gap, and the organisation faces findings that could have been prevented with consistent maintenance.

What ISO 27001 Actually Requires After Certification

The standard’s requirements do not pause after you receive your certificate. The following are ongoing obligations, not one-time activities:

Risk assessment reviews. Your risk register must be reviewed at planned intervals and whenever significant changes occur — new systems, new services, changes in the threat landscape, changes in the regulatory environment. “Significant change” is broader than most organisations treat it. A new cloud platform, a new supplier with access to your data, a new product line, a merger or acquisition — all of these should trigger a risk assessment review.

Internal audits. Conducted at planned intervals, covering the full scope of the ISMS. Not the same audit every year with the same findings. A programme that revisits areas of weakness, tracks corrective action closure, and adjusts its focus based on what the previous year’s evidence showed.

Management reviews. ISO 27001 Clause 9.3 specifies the inputs to a management review — including the status of previous actions, changes in internal and external issues, information security performance data, and continual improvement opportunities. These reviews must be documented, the decisions recorded, and the outputs tracked. A management review that produces a one-page set of minutes with no actions is technically compliant but practically useless.

Corrective actions. Every non-conformity — whether identified through internal audit, surveillance audit, incident review, or management review — must be addressed through a documented corrective action process. Root cause analysis, action planning, implementation, and verification of effectiveness. The corrective action register should be a living document, not a historical archive.

Policy and documentation reviews. Your information security policy, procedures, and the Statement of Applicability should be reviewed at least annually, and updated whenever the control environment, risk profile, or standard requirements change. Policies that reference the old standard, describe systems that no longer exist, or name individuals who have left the organisation are a surveillance audit finding waiting to happen.

The Surveillance Audit: What Auditors Look For

Annual surveillance audits are not shorter versions of the initial certification audit. They are specifically designed to test whether the ISMS has been operating continuously since the previous audit. Auditors will examine:

An organisation that maintained its ISMS consistently will pass a surveillance audit with minimal stress. An organisation that did not will find that a year’s worth of gaps is difficult to explain in a one-day audit.

The Recertification Cycle

ISO 27001 certificates are valid for three years, with annual surveillance audits. At the end of the three-year cycle, a full recertification audit is required. For organisations with a well-maintained ISMS, recertification is a formality. For organisations whose ISMS has drifted, it is a stressful and expensive catch-up exercise.

The organisations that find recertification easiest are the ones that treated the three years between certification events as a continuous programme, not as a quiet period punctuated by audit sprints.

What Good ISMS Maintenance Looks Like in Practice

Effective ISMS maintenance does not require a large team or a dedicated compliance function. It requires a structured calendar of activities, clear ownership, and a commitment to keeping the system honest — updating it when things change, rather than retrofitting changes to match the documentation.

For most small to medium-sized organisations, the practical choices are: build the internal capability to maintain it properly, or engage an external partner who manages the maintenance programme on their behalf. The second option is increasingly common among organisations whose primary business is not security — it keeps the ISMS current without adding permanent headcount, and it brings in expertise that most organisations cannot justify employing full-time.

Bitsecura’s ISMS Maintenance service is built for organisations that want their ISO 27001 certification to mean something year-round — not just at audit time. We manage your annual audit cycle, keep your documentation current, and make sure your surveillance audit is never a surprise. Certified once, maintained continuously.

If you are approaching your first surveillance audit — or if your ISMS has drifted and you want to understand how significant the gap is — talk to us here. No strings, no pitch. Just an honest conversation.


Bitsecura provides ISO 27001 implementation, internal audit, and ISMS maintenance services. Learn more about our ISO 27001 services.