ISO/IEC 27001 certification is a milestone—but it is not the finish line. Between surveillance audits, your Information Security Management System (ISMS) must keep running: risks get reassessed, access gets reviewed, leadership signs off, and evidence accumulates across the year.

If you are responsible for ISO 27001 annual obligations, this guide translates certification maintenance into a practical checklist you can schedule, assign, and defend in audit.

This guide covers:

The 13 activities auditors commonly expect to see on a rolling 12-month basis
Who typically owns each obligation and what evidence to retain
A quarterly calendar to spread work (and timestamps) across the year
Why a last-minute “audit sprint” is a red flag—and how to avoid it

Planning the compliance year

GIF via GIPHY

Related guides:

Key takeaways

Certification is maintained through surveillance, not a one-time project. Annual (and sometimes more frequent) external audits check that your ISMS still operates effectively.
ISO 27001 annual obligations map to Clauses 4–10 and Annex A controls—internal audit, management review, risk treatment, and continual improvement are not optional “nice to haves.”
Timing matters: your internal audit should typically be completed before your external surveillance audit so findings can be closed or tracked with a plan.
Management review must involve senior leadership, not only the security team. Minutes, decisions, and resource commitments should be documented and signed off.
Auditors look for continuous operation: dated records spread across the year beat a folder of evidence created in the month before surveillance.

Why ISO 27001 annual obligations matter after certification

After your initial certification audit, certification bodies commonly conduct surveillance audits in years one and two of the three-year certificate cycle, then a recertification audit in year three. Surveillance is usually narrower than the original certification audit—but the bar for “operating effectively” does not drop.

ISO 27001 is built on the Plan-Do-Check-Act cycle. Annual obligations are how you check and act:

Theme	ISO 27001 expectation (simplified)	Typical annual activity
Check	Monitor, measure, audit, evaluate	Internal audit, KPI review, vulnerability scans
Act	Correct, improve, update	Corrective actions, risk/SoA updates, management review decisions
Leadership	Accountability and resources	Management review sign-off, policy re-approval
People & access	Competence and least privilege	Training records, access reviews
Third parties & resilience	Extended enterprise risk	Supplier reviews, backup/DR tests

Teams that treat ISO 27001 as “documentation we finished at certification” often discover gaps at surveillance: stale risk registers, policies without current approval dates, or training completions that cannot be tied to individuals.

For a broader view of the certification journey (Stage 1, Stage 2, and maintenance), see preparing for an ISO 27001 audit.

The 13 ISO 27001 annual obligations (checklist)

Use this section as your master checklist. For each item, aim for dated records, a named owner, and approval where the standard expects leadership involvement.

#	Obligation	Typical owner	Must complete before surveillance?
1	Internal audit	ISMS / Internal audit lead	Yes—before external audit
2	Management review	Executive sponsor + ISMS owner	Yes—often after internal audit
3	Risk assessment update	Risk owner / Security	Yes—within past 12 months
4	SoA review	ISMS owner	Yes—re-approved with date
5	Policy reviews	Policy owners + leadership	Yes—all in-scope policies
6	Security awareness training	HR / Security	Yes—records for all staff
7	Access reviews	IT / Engineering managers	Yes—documented review
8	Vulnerability management	Security / Platform	Ongoing + annual summary
9	Supplier reviews	Procurement / Security	Yes—for critical suppliers
10	BC/DR testing	IT / Operations	Yes—test, not just backups
11	Incident log	Security / IT	Ongoing
12	Objectives / KPIs	ISMS owner + leadership	Reported at management review
13	Corrective actions	Control owners	Close or track open items

Below is what “good” typically looks like for each obligation—and what auditors commonly sample.

1. Internal audit

Conduct a full internal audit of your ISMS covering Clauses 4–10 (context, leadership, planning, support, operation, performance evaluation, improvement).

Practical requirements:

Cover all applicable Annex A controls over your defined audit cycle (you do not always need every control in one pass, but your program should show complete coverage across the cycle).
Produce a written report with findings classified (major/minor/observation—or your defined taxonomy).
Track findings through corrective action with owners and due dates.

Critical sequencing: complete the internal audit before your external surveillance audit. External auditors will expect to see internal audit results—and how leadership responded—reflected in management review.

For depth on scope and evidence, see ISO 27001 internal audit requirements.

Evidence to retain: audit plan, audit checklist or program, interview notes, findings report, corrective action log.

2. Management review

Hold a formal management review documented with minutes (not a slide deck alone). Topics auditors commonly expect to see addressed include:

Results of the internal audit (and status of prior audit actions)
Risk assessment outcomes and changes
Security incidents from the past year (including trends)
Performance against security objectives / KPIs
Changes in internal and external context (new products, regulations, major vendors)
Resource needs (budget, headcount, tooling)
Continual improvement opportunities

Sign-off: minutes should reflect senior leadership approval—not only the security or IT team. That may be a CEO, COO, CISO reporting line, or delegated executive with documented authority.

Evidence to retain: agenda, minutes, decisions, action items, attendance/approval record.

3. Risk assessment

Review and update your risk register at least annually (and when significant change occurs).

Re-assess existing risks for changes in likelihood and impact
Add risks from new systems, threats, or organizational change (M&A, new regions, major vendor swaps)
Update the risk treatment plan and link treatments to controls in your SoA where applicable
Date the assessment—auditors commonly verify activity within the past 12 months

Evidence to retain: dated risk register, methodology reference, treatment decisions, approval trail.

4. Statement of Applicability (SoA) review

Your Statement of Applicability is the map between Annex A and your ISMS.

Annually (or when scope changes):

Confirm all 93 Annex A controls (ISO 27001:2022) are marked applicable or not applicable with justification
Update justifications when your environment changes (e.g., you adopted a new IdP, retired on-prem systems, or added a data processor)
Re-approve with signature and date (electronic approval is fine if your governance allows)

Evidence to retain: current SoA version, change log, approver and approval date.

Guide: How to write an ISO 27001 SoA.

5. Policy reviews

Review every in-scope policy annually—even if the content did not change. Policies should be re-dated and re-approved.

Policies auditors frequently sample:

Policy	Why it matters in audit
Information Security Policy	Sets ISMS direction; leadership commitment
Acceptable Use Policy	Workforce conduct and asset use
Access Control Policy	Joiner/mover/leaver and privilege model
Incident Management Policy	Detection, reporting, escalation
Data Classification Policy	Handling rules for sensitive data
Supplier Security Policy	Third-party expectations
Business Continuity / DR Policy	Recovery objectives and roles

Evidence to retain: version history, review date, approver, communication or acknowledgment where required.

6. Security awareness training

All staff complete security awareness training on a defined cadence (commonly annual)
New joiners complete training during onboarding before full access to sensitive systems
Maintain completion records (LMS export, signed attestations, HR integration)
Refresh content year over year so training is not a copy-paste of last year’s module

Evidence to retain: training content version, roster, completion timestamps, exceptions and remediation.

7. Access reviews

Review user access rights across critical systems: who has access to what, and whether it is still required.

Remove stale accounts, ex-employees, and excessive privileges
Apply extra scrutiny to privileged / admin access
Document the review: date, systems in scope, reviewer, and approver

Evidence to retain: review ticket or report, before/after snapshots, sign-off, remediation for excessive access.

8. Vulnerability management

Vulnerability management is typically continuous, with annual audit sampling of your discipline:

Run vulnerability scans on a defined schedule throughout the year
Remediate critical findings within your documented SLA
Keep records of scans, findings, and remediation (including risk acceptance where applicable)

Penetration testing: ISO 27001 does not always mandate an annual pen test in every organization’s SoA—but many auditors expect to see one for internet-facing services or mature programs. If you conduct a pen test, ensure findings enter your risk and corrective action process.

Evidence to retain: scan reports, ticketing history, SLA metrics, pen test summary and remediation.

9. Supplier and third-party reviews

For key suppliers (especially those processing or hosting your data):

Review security posture annually (questionnaires, SOC reports, certifications, or reassessment)
Confirm contracts still include appropriate security clauses and breach notification terms
Assess new suppliers before onboarding—not only at renewal

Evidence to retain: vendor inventory tiering, review dates, assessment artifacts, contract excerpts or clause mapping.

10. Business continuity and DR testing

Backups alone are not proof of recoverability.

Restore from backup (tested recovery, not just backup job success)
Run a DR/BCP exercise (full test or tabletop) with defined scenarios
Document results, gaps, and plan updates

Evidence to retain: test plan, results, participants, issues raised, updated BCP/DR documentation.

11. Incident log maintenance

Maintain an incident register throughout the year—including minor events and near-misses.

Log detection time, impact, containment, and resolution
Ensure root cause and corrective action are documented
Review trends at management review (repeat issues are a common auditor focus)

Evidence to retain: incident tickets, post-incident reviews, metrics, linkage to corrective actions.

12. Objectives and performance measurement

Track the security objectives and KPIs defined for your ISMS—for example:

Mean time to remediate critical vulnerabilities
Training completion rate
Percentage of systems covered by access reviews
Incident volume or severity trends

Report results at management review and set new or updated objectives for the coming year.

Evidence to retain: KPI definitions, dashboards or reports, management review discussion of performance.

13. Corrective actions

Any nonconformity—from internal audit, external audit, incidents, or reviews—should be formally logged.

Perform root cause analysis (proportionate to severity)
Implement corrective actions with owners and due dates
Close with evidence; avoid a backlog of open items at surveillance

Evidence to retain: corrective action register, RCA notes, closure proof, verification steps.

Who owns what (and what auditors typically ask for)

Clear ownership prevents annual obligations from collapsing onto one overloaded security lead.

Obligation	Common accountable role	Auditors often ask
Internal audit	ISMS manager / internal auditor	Was Clause 4–10 covered? Were Annex A controls in scope per your cycle?
Management review	Executive sponsor	Did leadership review audit results, risks, and incidents?
Risk / SoA	Risk owner / ISMS owner	Is the risk register dated within 12 months? Does SoA match reality?
Policies	Policy owners	Are approval dates current for all in-scope policies?
Training	HR + Security	Can you prove 100% workforce completion (with exceptions handled)?
Access reviews	System owners + IT	Who approved removals of privileged access?
Vuln / pen test	Security / Engineering	Show scan cadence and critical remediation within SLA
Vendors	Procurement + Security	How do you tier vendors and review critical ones annually?
BC/DR	IT / Operations	Show a restore test—not only backup logs
Corrective actions	Control owners	Any open major findings without a plan?

Quarterly calendar for ISO 27001 maintenance

Spreading work across quarters helps you demonstrate continuous operation and avoids a single “evidence month” before surveillance.

Quarter	Key activities
Q1	Access reviews; vulnerability scan cycle; begin policy reviews
Q2	Supplier reviews; DR/BCP test or tabletop; awareness training cycle
Q3	Internal audit; risk assessment update
Q4	Management review; SoA review and re-approval; close open corrective actions; surveillance prep

Adjust dates to your certification anniversary and auditor schedule. If your surveillance audit is in Q1, pull internal audit and management review into the prior quarter so findings can be addressed before the external visit.

The core rule—evidence of continuous operation

Auditors are looking for evidence of continuous operation—not a burst of activity in the weeks before the audit.

Practical signals that your program is healthy:

Training completions and access reviews occur on a recurring schedule
Vulnerability scans and incident logs show activity throughout the year
Risk and SoA versions have incremental updates when change happens—not only an annual rewrite
Management review minutes reference real incidents and metrics, not generic boilerplate

Red flag: if all evidence timestamps cluster in the 30 days before surveillance, auditors may question whether controls operated effectively during the rest of the cycle—even if every document is technically present.

Build habits that produce proof as you work: tickets for access reviews, dated exports from your LMS, versioned policies, and a single corrective action register referenced by internal audit and management review.

Keep ISO 27001 obligations on track with SecureSlate

SecureSlate helps teams run ISO 27001 as an operating program—not an annual scramble.

Teams typically use SecureSlate to:

Map controls → owners → evidence so surveillance sampling is fast
Track policies, risks, vendors, and corrective actions in one place
Schedule recurring reviews (access, suppliers, training) with reminders and audit trails
Stay ready for surveillance audits with evidence freshness and clear ownership
Request a demo: Talk to SecureSlate
Get started for free: Create your SecureSlate account

FAQ

What are ISO 27001 annual obligations?

They are the recurring activities required to maintain an effective ISMS between certification audits—commonly including internal audit, management review, risk assessment updates, SoA and policy reviews, training, access reviews, vendor oversight, and corrective action management. Surveillance audits verify these activities produced dated evidence over the certification cycle.

How often are ISO 27001 surveillance audits?

Certificates are typically valid for three years, with surveillance audits commonly scheduled in years one and two, and recertification in year three. Your certification body’s schedule may vary; confirm dates at engagement.

Must the internal audit happen before the surveillance audit?

Yes—this is a practical requirement auditors expect. Internal audit findings should feed management review and corrective actions before external auditors assess the same period.

Do policies need to change every year?

Not necessarily—but they should be reviewed, re-dated, and re-approved annually even if content is unchanged. Stale approval dates are a frequent surveillance finding.

Is an annual penetration test required for ISO 27001?

ISO 27001 does not universally mandate pen testing for every organization, but many auditors expect to see periodic independent testing for internet-facing systems when your risk assessment or SoA treats testing as a control. Document the decision in your risk treatment plan and SoA.

What happens if we miss an annual obligation?

You may receive a nonconformity or observation at surveillance, depending on severity and whether the gap affects control effectiveness. Document remediation in your corrective action process and demonstrate catch-up with dated evidence—not only a plan to fix it later.

Disclaimer (legal note)

SecureSlate is not a law firm, and this article is for informational purposes only. It does not constitute legal, audit, or certification advice. Requirements may vary by certification body, scope, and applicable regulations. For guidance specific to your organization, consult qualified legal and compliance professionals and your chosen certification body.

ISO 27001 annual obligations: the complete checklist for surveillance audit readiness