Year 4 and Beyond
ISO 27001 Recertification Audit: Costs, Timeline, and What Changes in Year 4
ISO 27001 certificates are valid for 3 years. Recertification is a full-scope re-audit that costs 60-80% of the original certification. Start planning 6-9 months before your certificate expires.
What Is Recertification?
Recertification is a full-scope re-audit of your ISMS conducted at the end of the 3-year certificate cycle. Unlike surveillance audits (which sample a subset of controls), recertification covers all Annex A controls in your scope and all clauses of ISO 27001.
The good news: recertification is typically shorter and cheaper than initial certification. The auditor already has context from surveillance audits, your team has audit experience, and there is no separate Stage 1 required unless significant changes have occurred.
A successful recertification results in a new 3-year certificate, restarting the surveillance cycle.
Recertification vs Initial Certification Cost
Recertification audit fees only (excludes preparation). Compare with initial certification to see the typical savings.
| Company Size | Initial Cert | Recertification | % of Initial |
|---|---|---|---|
| Micro (1-10) | $7,000 - $14,000 | $5,000 - $10,000 | 60-75% |
| Small (11-50) | $11,500 - $25,000 | $8,000 - $18,000 | 65-75% |
| Medium (51-250) | $18,000 - $43,000 | $12,000 - $32,000 | 65-80% |
| Large (251-1,000) | $29,500 - $64,500 | $22,000 - $50,000 | 70-80% |
| Enterprise (1,000+) | $44,000 - $87,000 | $32,000 - $65,000 | 70-80% |
When to Start Planning
Begin recertification planning 6-9 months before your certificate expiry date. This timeline accounts for CB scheduling (popular auditors book 6-12 weeks out), internal preparation, and any scope changes that need to be addressed.
A common mistake is treating recertification as a formality. While it is shorter than initial certification, organisations that do not prepare adequately face the same nonconformity risks. Internal audit and management review must be current, all surveillance findings must be closed, and any ISMS changes must be documented.
6-9 months
Before expiry: start planning
3-4 months
Before expiry: book auditor
4-6 weeks
Before audit: final preparation
What Triggers a Full Re-Audit at Recertification
If any of these apply, the recertification may require a Stage 1 component, increasing cost and duration to near-initial levels.
Major changes to ISMS scope (new business units, products, or services added)
Significant organisational restructuring (mergers, acquisitions, or demergers)
New physical locations added since the last certification
Transition to a new version of the standard (e.g. ISO 27001:2013 to 2022)
Major nonconformities raised during surveillance audits
New legal or regulatory requirements affecting information security
Switching Certification Body at Recertification
Recertification is the natural time to switch CBs if you want better pricing, different auditor expertise, or improved service. The process is called a "transfer audit" and works as follows:
- Request quotes from new CBs, specifying this is a transfer/recertification
- New CB reviews your existing certificate, surveillance reports, and any open nonconformities
- Transfer audit is conducted (scope similar to recertification, possibly with Stage 1 elements)
- If successful, new CB issues a fresh 3-year certificate
Transfer audit costs are typically comparable to standard recertification fees. The main additional cost is time: allow 2-4 extra weeks for the new CB to review your history.
Frequently Asked Questions
Is recertification easier than initial certification?
Generally yes. The auditor has context from previous surveillance audits, your team is experienced with the audit process, and the ISMS should be mature and well-documented. Recertification typically takes 60-80% of the time and cost of initial certification. However, if significant changes have occurred, it can approach the full initial audit scope.
Can you switch certification body at recertification?
Yes, and recertification is the most common time to switch. The new CB conducts a transfer audit that combines elements of recertification with their own assessment of your ISMS. The process typically adds 2-4 weeks compared to recertifying with your existing CB. Transfer audit costs are comparable to standard recertification fees.
What happens if your ISO 27001 certificate expires?
If the recertification audit is not completed before the certificate expiry date, the certificate lapses. There is no formal grace period in ISO 17021. You would need to undergo the full initial certification process again (Stage 1 + Stage 2), which is significantly more expensive than recertification. Start planning 6-9 months before expiry.