May 2026. Certified ISO 27001 organisations face annual surveillance. In 2026, auditors less often accept “we have a policy” without sampling execution.
Recurring themes
- Statement of Applicability: exceptions with current risk rationale and owners.
- Management review: decisions, not minutes only — KPIs and open actions.
- Vendors: reviews on high-risk suppliers, not templates alone.
- Logging & monitoring: who handles alerts, what is response time?
- Corrective actions: are internal findings actually closed?
Prepare without panic
Start 8–10 weeks before surveillance: revisit prior findings, refresh the SoA, bundle evidence per control set. See audit preparation and evidence.