Surveillance audits
1. Does the external auditor have to do complete surveillance for all controls in the SOA the same as the first year of certification?
2. How long does it take to complete the surveillance audit with regard to the initial certification audit duration?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. Does the external auditor have to do complete surveillance for all controls in the SOA the same as the first year of certification?
Only during certification audits, all controls in the SoA must be audited. During each surveillance audit, the auditor can cover only part of the controls, provided that all controls are audited during the certification cycle (e.g., if you have 3 surveillance audits between certification audits, all controls must be audited at least once in these three audits).
This article will provide you further explanation about surveillance audits:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
2. How long does it take to complete the surveillance audit with regard to the initial certification audit duration?
The total days to complete a surveillance audit will depend on the defined ISMS scope (e.g., number of locations, number of employees, etc.), so without detailed information, we cannot provide a precise answer for your case.
As a general example, we can say that if the certification audit took 5 days to be performed, the surveillance audits will take between 2 to 3 days.
Comment as guest or Sign in
Dec 17, 2019