May 2026. ISO 27001 certified organisations face annual surveillance. In 2026 auditors less often accept policy without sampling of operation. Certification bodies look at SoA, management review, vendors, logging and corrective actions.
Themes that return more often
- Statement of Applicability: exclusions with current risk rationale and owner.
- Management review: decisions, KPIs and open actions — not minutes alone.
- Vendors: reviews on high-risk vendors, not contract templates only.
- Logging & monitoring: who handles alerts, what is response time?
- Corrective actions: do internal findings actually close?
Preparation without panic
Start 8–10 weeks before surveillance: revisit prior findings, refresh SoA, bundle evidence per control set. See audit preparation and evidence. Smooth surveillance usually means ownership was visible all year.
Sampling tips
- Bundle evidence per Annex A cluster in one folder or tool.
- Let line managers explain their controls — not only the CISO.
- Show change and patch tickets alongside policy for technical controls.
2026 surveillance emphasises chain and cloud: auditors ask how SaaS vendors sit in the SoA and whether access reviews really happen. Prepare samples on IdP roles, privileged accounts and log retention — with dates in the sample period.
Management review must show visible decisions on open risks, investment and accepted exceptions. Without a governance trail, a technically strong organisation can still get a major on governance.
Revisit prior surveillance and internal audit findings. Show CAPs closed or residual risk explicitly accepted. That separates repeating non-conformities from a moderate audit.
Ownership visible all year
Surveillance audits rarely fail on one missing document; more often on inconsistency between policy and samples. Let control owners maintain evidence all year — not cram two weeks before the auditor arrives.
Internal audit and prior surveillance findings are your checklist: show CAPs closed or residual risk explicitly accepted in management review. Repeating minors on the same theme escalate faster to major.
Prepare line managers to explain their controls briefly. An auditor who only speaks to the CISO misses signals about real execution in teams.
Keep a calendar with evidence deadlines tied to your audit cycle. Quarterly vendor, access and logging reviews fit naturally there.
Plan a dry run four weeks before surveillance: same samples the auditor will likely take. Internal audit can facilitate. Findings there are cheaper than at the certification body.
Preparation four weeks before surveillance
Plan a dry run with the same samples the auditor will likely take: three changes, two offboardings, one restore, logging from one week. Internal audit or the CISO can facilitate — findings there are cheaper than at the certification body.
Check that management review minutes, internal audit reports and CAP status are current. Surveillance in 2026 focuses on operation: can you show evidence that controls actually ran in the sample period?
State scope changes since the last audit explicitly in the opening meeting. Surprises about new SaaS or sites cause findings more often than technical gaps.
Next steps in your ISMS
Turn this article into one concrete action in your risk register or improvement plan: owner, deadline, expected evidence. Discuss progress in the next management review — auditors and chain partners want decisions, not policy intent alone. Link where possible to existing ISO 27001, NIS2 or GDPR documentation so you do not maintain parallel folders.
Questions on scope, certification or chain requirements? Use our readiness overview and knowledge base for deeper guidance. This article does not replace legal or audit advice for your situation.
Share relevant findings briefly with line management and procurement — compliance becomes workable when the whole organisation recognises the same priorities. Repeat the chosen action quarterly in team meetings and update evidence locations in your SoA or control plan so surveillance samples are easy to answer.
What to do this week
Pick one concrete action from this article, assign an owner and add it to your risk or improvement register with a deadline. Share briefly in team meetings so compliance is something the line recognises. Repeat quarterly in management review so leadership sees progress, not only intent.
Note: this article is educational and does not replace legal, privacy or audit advice for your specific situation.
Evidence and governance
Record who owns the measures in this article and how you prove operation in the sample period — logs, tickets, approved changes or exercise reports. Certification bodies and chain partners do not accept intent without samples. Link evidence locations to your SoA or control plan so internal and external audit use the same sources.
