Ongoing Costs
ISO 27001 Surveillance Audit Costs: What to Budget for Years 2 and 3
Certification is not a one-time cost. Annual surveillance audits are mandatory to maintain your certificate. Budget $2,000 - $40,000 per year depending on company size, plus ongoing internal ISMS maintenance.
What Is a Surveillance Audit?
A surveillance audit is a shorter, focused audit conducted annually to verify that your ISMS continues to operate effectively after initial certification. It is not a full re-audit. Instead, the auditor samples a subset of controls and focuses on changes since the last audit.
Surveillance audits are typically 30-40% of the initial certification audit in duration and cost. They cover approximately 30-50% of your Annex A controls each year, with the selection based on risk, previous findings, and organisational changes.
Over the two surveillance audits (Year 2 and Year 3), the auditor aims to cover all Annex A controls at least once. This ensures complete coverage across the 3-year cycle without repeating the full certification audit annually.
Surveillance Audit Cost by Company Size
Annual surveillance cost. Budget this for both Year 2 and Year 3 of the certification cycle.
| Company Size | Auditor Days | Annual Cost |
|---|---|---|
| Micro (1-10) | 1 | $2,000 - $4,000 |
| Small (11-50) | 1 - 1.5 | $3,000 - $6,000 |
| Medium (51-250) | 1.5 - 3 | $6,000 - $15,000 |
| Large (251-1,000) | 3 - 5 | $10,000 - $25,000 |
| Enterprise (1,000+) | 4 - 8 | $15,000 - $40,000 |
What Surveillance Auditors Check
Changes to the organisation
New offices, restructuring, M&A activity, new products, changes to scope, leadership changes. The auditor assesses whether these affect the ISMS.
Previous nonconformity closure
Verification that corrective actions from the last audit have been implemented and are effective. Evidence must be documented and available.
Internal audit evidence
Records of internal audits conducted since the last external audit. Coverage, findings, and corrective actions are reviewed.
Management review records
Minutes from management reviews covering ISMS performance, incident trends, resource adequacy, and improvement decisions.
Incident log
Record of security incidents since the last audit. How they were detected, responded to, documented, and what was learned.
Continual improvement evidence
Evidence that the ISMS is improving: policy updates, additional training, new controls, process refinements, risk register updates.
The 3-Year Certificate Cycle
Year 1
Certification Audit
Stage 1 + Stage 2. Full ISMS assessment. Certificate issued. Largest cost year.
Year 2
Surveillance Audit 1
Subset of controls sampled. Changes reviewed. Previous findings verified. 30-40% of Year 1 cost.
Year 3
Surveillance Audit 2
Remaining controls sampled. Preparation for recertification begins. Similar cost to Year 2.
After Year 3, a recertification audit renews the certificate for another 3-year cycle.
How to Reduce Surveillance Audit Cost
Continuous evidence collection
Maintain evidence year-round rather than scrambling before the audit. GRC platforms automate this. The less time the auditor spends requesting and waiting for evidence, the fewer days the audit takes.
Request remote audit option
Remote surveillance audits are 15-25% cheaper. Most CBs allow fully remote surveillance if the initial audit included on-site elements.
Negotiate multi-year pricing
Lock in 3-year pricing at contract signing. Many CBs offer 10-15% discount on surveillance when bundled with the initial certification.
Keep records tidy
Organised evidence reduces audit time. A well-structured GRC platform or shared drive means the auditor can self-serve rather than waiting for you to find documents.
Proactive change management
Document all ISMS-relevant changes as they happen. If the auditor discovers undocumented changes, it triggers deeper investigation and additional audit time.
Consequences of Failing a Surveillance Audit
Minor Nonconformity
30-90 day corrective action window. Submit evidence; no re-audit. Most common outcome for surveillance findings.
Major Nonconformity
Certificate suspension possible. Corrective action plus partial re-audit required. Additional fees of $2,000-$8,000.
Certificate Withdrawal
Rare but possible if major NCs are not resolved within the suspension period. Full recertification required from scratch.
Frequently Asked Questions
How often are ISO 27001 surveillance audits?
Surveillance audits are conducted annually, typically at approximately 12-month intervals from the initial certification date. Most certification bodies schedule them 10-12 months apart. Two surveillance audits are required during the 3-year certificate cycle (Year 2 and Year 3), after which a full recertification audit is needed.
Can you skip a surveillance audit?
No. Skipping a surveillance audit will result in certificate suspension within 3-6 months. If the surveillance audit is not completed within the suspension period, the certificate is withdrawn entirely and you would need to undergo the full certification process again. There is no grace period once the audit window passes.
What happens if your ISO 27001 certificate is suspended?
Certificate suspension means you cannot claim ISO 27001 certification. The CB updates public registers to show 'suspended' status. You typically have 6 months to resolve the issue (complete the overdue audit, close major nonconformities). If not resolved within the suspension period, the certificate is withdrawn and you must restart certification from scratch.