ISO/IEC 27001: Planning a Clean Recertification

Your three-year ISO/IEC 27001 certification cycle is closing, and recertification looms. The good news: if you have genuinely operated your information security management system (ISMS) rather than performing it once for the certificate, recertification is a confirmation exercise rather than a scramble. The bad news: most organisations treat the ISMS as dormant between surveillance visits, and the gap shows.

What auditors actually check

An auditor is testing whether your ISMS is alive — operated, monitored, and improved — not just whether documents exist. The artefacts they reliably open are:

• The Statement of Applicability, cross-checked against your actual controls. Auditors look hard at any Annex A control marked as excluded and the justification for it.
• Risk assessment and treatment records, with evidence they have been reviewed recently rather than copied forward unchanged.
• Internal audit results and management reviews — proof the organisation inspects itself and that leadership engages.
• Corrective actions from prior findings, with evidence they were actually closed.
• Records of the controls working — access reviews, incident logs, training completion, supplier assessments.

Where organisations lose time

The pattern is predictable. The ISMS goes quiet after certification, then activity spikes in the weeks before the audit. Risk assessments are dusted off and back-dated in spirit. Internal audits that should have run throughout the year are crammed in. The management review is held the week before the auditor arrives. Auditors recognise this rhythm immediately — a flurry of recent dates against a year of silence is itself a finding.

A clean recertification is decided in the eleven months between audits, not the one month before. The documents are easy; the evidence of continuous operation is what you cannot fabricate at the last minute.

How to plan it properly

Treat the cycle as continuous. Schedule internal audits across the year, not in a single block. Hold management reviews on a regular cadence with real attendance and recorded decisions. Keep the risk register a living document tied to actual changes in the business. Close corrective actions promptly and keep the evidence.

If you are already behind, be honest with yourself about scope. It is better to present a smaller, genuinely operated ISMS than a broad one with thin evidence. Prioritise the artefacts above, focus your remaining time on demonstrating that controls actually run, and resist the urge to generate paperwork that an experienced auditor will read straight through. The certificate follows a working system — not the other way around.