ISO 270017 min read
Maintaining ISO 27001 Compliance: Year-Over-Year Guide
Getting ISO 27001 certified is just the beginning. Maintaining certification requires ongoing effort, but with the right approach, it becomes part of your normal operations. This guide covers how to sustain your ISMS effectively.
Key Takeaways
| Point | Summary |
|---|---|
| 3-year cycle | Year 1: Certification → Years 2-3: Surveillance audits → Year 4: Recertification |
| Surveillance audits | Partial scope (50-70% of initial), less intensive than certification |
| Ongoing activities | Daily monitoring, weekly reviews, quarterly access reviews, annual risk assessment |
| Required annually | Internal audit + management review (before surveillance audit) |
| Common challenges | Compliance fatigue, documentation drift, scope creep, organizational changes |
Quick Answer: ISO 27001 has a 3-year certification cycle with surveillance audits in Years 2-3. Maintain your ISMS through daily monitoring, quarterly reviews, and annual internal audits. Recertification in Year 4 is a full audit.
The ISO 27001 Certification Cycle
3-Year Certification Cycle
ISO 27001 Certification Lifecycle:
Year 1: Initial Certification:
- Implementation
- Stage 1 audit
- Stage 2 audit
- Certificate issued ✓
Year 2: First Surveillance:
- Ongoing ISMS operation
- Internal audit
- Management review
- Surveillance audit ✓
Year 3: Second Surveillance:
- Ongoing ISMS operation
- Internal audit
- Management review
- Surveillance audit ✓
- Prepare for recertification
Year 4: Recertification:
- Comprehensive audit
- New 3-year certificate ✓
- Cycle repeats
Surveillance vs. Recertification
| Audit Type | Timing | Scope | Duration |
|---|---|---|---|
| Surveillance | Years 1-2 after certification | Partial (sample) | 50-70% of initial |
| Recertification | Year 3 | Full ISMS | Similar to initial |
Ongoing ISMS Activities
Daily Activities
| Activity | Owner | Details |
|---|---|---|
| Monitor security events | Security/IT | Review alerts and logs |
| Process access requests | IT | Follow access procedures |
| Handle incidents | Security/IT | Respond per incident process |
Weekly Activities
| Activity | Owner | Details |
|---|---|---|
| Review security metrics | ISMS Manager | Dashboard check |
| Address open items | Various | Corrective actions, risks |
| Vulnerability review | Security | Scan results, remediation |
Monthly Activities
| Activity | Owner | Details |
|---|---|---|
| Evidence review | ISMS Manager | Check evidence freshness |
| Control spot-checks | Various | Verify controls operating |
| Risk register review | Risk owners | Update status |
| Metrics reporting | ISMS Manager | Compile monthly report |
Quarterly Activities
| Activity | Owner | Details |
|---|---|---|
| Access reviews | IT/Managers | Review and certify access |
| Risk assessment update | ISMS Manager | Refresh risk register |
| Policy review | ISMS Manager | Check for needed updates |
| Training status | HR | Completion tracking |
Annual Activities
| Activity | Owner | Details |
|---|---|---|
| Full policy review | ISMS Manager | Review and update all policies |
| Comprehensive risk assessment | ISMS Manager | Full risk refresh |
| Internal audit | Auditor | Complete ISMS audit |
| Management review | Leadership | Formal ISMS review |
| Penetration test | Security | Annual security assessment |
| Surveillance audit | Certification body | External verification |
Quarterly Maintenance Calendar
Q1: Post-Audit Review
If audit was in Q4:
- Address any audit findings
- Document lessons learned
- Update processes based on feedback
- Plan improvements for the year
Standard Q1 tasks:
- Q4 access review (for previous quarter)
- Review security objectives for year
- Plan internal audit schedule
- Budget review for security
Q2: Operations Focus
Security operations:
- Q1 access review
- Vulnerability management review
- Incident response drill/tabletop
- Training completion check
Documentation:
- Mid-year policy spot check
- Update procedures for any changes
- Review SoA accuracy
Q3: Pre-Audit Preparation
If audit is in Q4:
- Internal audit
- Address internal audit findings
- Prepare management review
- Evidence collection review
Standard Q3 tasks:
- Q2 access review
- Penetration test (if annual)
- Business continuity test
- Vendor review update
Q4: Audit and Renewal
Surveillance/recertification audit:
- Final evidence preparation
- Stage external audit
- Address any findings
- Receive continued certification
Year-end activities:
- Q3 access review
- Complete policy reviews
- Finalize annual training
- Plan for next year
Managing Common Challenges
Challenge 1: Compliance Fatigue
Symptoms:
- Controls start slipping
- Documentation becomes outdated
- People lose focus on ISMS
Solutions:
| Approach | Action |
|---|---|
| Automate | Use tools for evidence collection |
| Integrate | Build ISMS into daily workflows |
| Celebrate | Recognize compliance achievements |
| Simplify | Remove unnecessary complexity |
Challenge 2: Organizational Changes
Triggers:
- New employees joining
- Employees leaving
- Role changes
- Organizational restructuring
Response:
| Change | ISMS Action |
|---|---|
| New hire | Onboarding training, access provisioning |
| Departure | Access removal, knowledge transfer |
| Role change | Access review, responsibility update |
| Restructure | ISMS scope review, ownership updates |
Challenge 3: System Changes
Triggers:
- New applications deployed
- Infrastructure changes
- Cloud migrations
- Acquisitions
Response:
| Change | ISMS Action |
|---|---|
| New system | Risk assessment, control implementation |
| Major change | Change management, SoA update |
| Migration | Security review, documentation update |
| Acquisition | Scope review, integration planning |
Challenge 4: Control Drift
Symptoms:
- Controls operating differently than documented
- Evidence doesn't match policy
- Audit findings increase
Solutions:
| Approach | Action |
|---|---|
| Monitor | Regular control testing |
| Alert | Automated compliance checks |
| Review | Periodic self-assessments |
| Correct | Address drift immediately |
Challenge 5: Documentation Staleness
Symptoms:
- Policies don't reflect current practices
- Procedures are outdated
- SoA is inaccurate
Solutions:
| Approach | Action |
|---|---|
| Schedule | Regular review calendar |
| Trigger | Update on process changes |
| Automate | Version control and reminders |
| Assign | Clear document ownership |
Surveillance Audit Preparation
What Auditors Check
| Focus Area | Auditor Interest |
|---|---|
| Previous findings | Were they addressed? |
| Changes | What's changed since last audit? |
| Effectiveness | Is ISMS working? |
| Sample controls | Do they operate as described? |
| Evidence | Is it current and complete? |
3-Month Preparation Timeline
3 Months Before:
- Review previous audit findings
- Verify corrective action completion
- Schedule internal audit
- Identify any scope changes
2 Months Before:
- Complete internal audit
- Address internal audit findings
- Hold management review
- Update documentation
1 Month Before:
- Final evidence review
- Complete any outstanding training
- Brief team on audit process
- Confirm audit logistics
1 Week Before:
- Final evidence check
- Prepare audit workspace
- Confirm auditor arrangements
- Brief key personnel
Evidence Preparation
| Evidence Type | Freshness Required |
|---|---|
| Access reviews | Current quarter |
| Training records | Within 12 months |
| Risk assessment | Within 12 months |
| Policy reviews | Within 12 months |
| Vulnerability scans | Current month |
| Incident records | Period since last audit |
Continuous Improvement
Required by ISO 27001
Clause 10.2 requires continual improvement:
"The organization shall continually improve the suitability, adequacy and effectiveness of the ISMS."
Sources of Improvement
| Source | Examples |
|---|---|
| Audit findings | Internal and external |
| Incident analysis | Lessons learned |
| Risk changes | New or changed risks |
| Performance data | Metrics and trends |
| Best practices | Industry developments |
| Feedback | From stakeholders |
Improvement Tracking
| Improvement ID | Source | Description | Status | Owner |
|---|---|---|---|---|
| IMP-2024-001 | Audit | Automate access reviews | In Progress | IT |
| IMP-2024-002 | Incident | Improve detection capability | Complete | Security |
| IMP-2024-003 | Metrics | Reduce vulnerability backlog | In Progress | DevOps |
Key Metrics to Monitor
Operational Metrics
| Metric | Target | Frequency |
|---|---|---|
| Access review completion | 100% | Quarterly |
| Training completion | 100% | Monthly |
| Vulnerability remediation SLA | >90% | Weekly |
| Incident response time | <4 hours | Per incident |
| Patching compliance | >95% | Monthly |
ISMS Health Metrics
| Metric | Target | Frequency |
|---|---|---|
| Open audit findings | 0 major | Monthly |
| Control effectiveness | >95% | Quarterly |
| Risk register currency | <30 days | Monthly |
| Policy review status | On schedule | Monthly |
| Evidence freshness | Current | Monthly |
Dashboard Example
ISMS Health Dashboard:
Overall Status: ✓ Healthy
| Metric | Status |
|---|---|
| Access Reviews | ✓ 100% |
| Training | ✓ 98% |
| Vulnerabilities | ✓ 94% SLA |
| Open Findings | ✓ 0 major |
| Risk Register | ✓ Current |
| Days to Audit | 45 |
| Evidence Status | ✓ Current |
| Policy Status | ✓ Current |
| Incidents MTD | 2 |
Recent Activity:
- Q2 access review completed (June 15)
- Security awareness training deployed (June 10)
- Risk register quarterly review (June 5)
Management Review
When to Conduct
- At least annually (more frequent recommended)
- After significant changes
- After major incidents
- Before certification audits
Required Inputs
| Input | Source |
|---|---|
| Previous review actions | Last management review |
| Internal/external issue changes | Context monitoring |
| ISMS performance feedback | Metrics, audits, incidents |
| Stakeholder feedback | Customers, regulators |
| Risk assessment results | Risk register |
| Improvement opportunities | Various sources |
Required Outputs
| Output | Action |
|---|---|
| Improvement decisions | What to improve |
| ISMS changes | What to modify |
| Resource needs | What's required |
Meeting Agenda Template
Management Review Meeting:
1. Review of Actions from Previous Meeting (10 min):
- Status of each action item
2. Changes Affecting ISMS (15 min):
- External changes (regulatory, threats)
- Internal changes (org, systems)
3. ISMS Performance Review (20 min):
- Metrics overview
- Audit results
- Incident summary
- Nonconformity status
4. Risk Assessment Status (15 min):
- Risk register updates
- New/changed risks
- Treatment effectiveness
5. Improvement Opportunities (15 min):
- Proposed improvements
- Resource requirements
6. Decisions and Actions (15 min):
- Approve improvements
- Allocate resources
- Assign action items
The Bastion Advantage for Maintenance
Continuous Compliance
Bastion makes maintenance effortless:
| Challenge | Bastion Solution |
|---|---|
| Evidence freshness | Automated continuous collection |
| Control monitoring | Real-time effectiveness tracking |
| Audit preparation | Always audit-ready |
| Documentation | Automatic version control |
| Reminders | Scheduled task notifications |
Ongoing Support
Your vCISO helps with:
- Quarterly ISMS reviews
- Audit preparation
- Incident guidance
- Continuous improvement
- Management review support
Cost of Maintenance
| Maintenance Aspect | Without Bastion | With Bastion |
|---|---|---|
| Annual effort | 300-500 hours | 100-200 hours |
| Surveillance prep | 40-80 hours | 10-20 hours |
| Evidence management | Manual | Automated |
| Expert support | Extra cost | Included |
Need help maintaining your ISO 27001 certification? Talk to our team →