Planting the flag

Download as pdf: Surveillance cycle, recertification, PDCA, 19pp

ISO 27001 flag

You have reached the summit. The climb was long, demanding, and required careful preparation: risk assessments, control selection, documentation, internal audits, and external verification. Planting your flag is both a symbol of achievement and a checkpoint for ongoing vigilance.

The flag represents that your ISMS is operational, certified, and aligned with your organisation’s objectives. But reaching the summit is not the end of the journey. It is the beginning of a new phase where maintaining your position requires constant attention and adaptation.

The certificate as proof

The flag itself is your ISO 27001 certificate, tangible evidence that your ISMS works and meets international standards.

What the certificate represents

Official recognition: An accredited certification body has independently verified that your ISMS meets all ISO 27001:2022 requirements. This is not self-assessment. It is third-party validation.

Proof of process: Your policies, procedures, risk assessments, and controls are documented, implemented, and functioning effectively. You can demonstrate this with evidence.

Operational readiness: Your staff understands their roles, knows where to find procedures, and can respond appropriately to security incidents and risks.

Commitment to improvement: You’ve established processes for monitoring, measuring, and continuously improving your information security posture.

Risk management maturity: You’ve identified your information security risks, assessed them systematically, and implemented appropriate treatments aligned with business objectives.

Think of this as the summit photo: it’s evidence that you followed the correct route, carried the right equipment, and reached the top safely. More importantly, it proves you can stay there.

What the certificate means for your organisation

Business value:

  • Competitive advantage: Demonstrates security commitment to customers, partners, and regulators

  • Market access: Many contracts require ISO 27001 certification as a prerequisite

  • Insurance benefits: May reduce cyber insurance premiums or improve coverage terms

  • Due diligence: Simplifies security questionnaires and vendor assessments

  • Regulatory alignment: Supports compliance with GDPR, NIS2, and sector-specific regulations

Operational value:

  • Structured approach: Systematic risk management rather than reactive firefighting

  • Clear accountability: Defined roles and responsibilities for information security

  • Improved resilience: Better prepared for incidents and faster recovery

  • Cultural shift: Security awareness embedded across the organisation

  • Evidence base: Documentation supporting decisions and demonstrating due care

Strategic value:

  • Trust building: External validation of security practices

  • Brand protection: Reduced risk of reputation-damaging breaches

  • Investment justification: Clearer business case for security spending

  • Continuous improvement: Framework for ongoing security enhancement

Example: Certificate in action

The certification body confirms that:

  • Mobile device management is implemented with 100% device enrolment and encryption

  • Backups are tested quarterly with documented restoration procedures and success records

  • Access controls include MFA for remote access, quarterly access reviews completed on schedule

  • Risk assessments are current (last updated 15 September 2025) and cover all systems in scope

  • Internal audits conducted in Q1, Q2, Q3, and Q4 2025 with findings tracked to closure

  • Management reviews held quarterly with documented decisions and resource allocation

  • Security awareness training delivered with 98% completion rate

  • Incident response tested through tabletop exercise (28 October 2025)

Your team is trained, procedures are followed, and evidence exists to prove it all.

Maintaining camp: The surveillance cycle

The mountain doesn’t wait. Storms (emerging threats) will come, equipment degrades (controls lose effectiveness), personnel change (creating knowledge gaps), and processes may drift (documented vs actual practice diverge).

The certificate is valid for three years, but you’ll face annual surveillance audits to verify continued conformance. Maintaining certification requires ongoing effort. This is where many organisations struggle.

What surveillance audits involve

Annual verification: Certification body returns approximately 12 and 24 months after initial certification to verify:

  • ISMS continues operating effectively

  • Previous audit findings are resolved

  • Controls remain effective

  • You’re still meeting ISO 27001 requirements

  • Continuous improvement is happening

  • Documentation stays current

Rotating focus: Each surveillance audit typically samples different ISMS areas, ensuring full coverage over the 3-year cycle. Year 1 might focus on access controls and incident management; Year 2 on supplier security and business continuity.

Duration: Typically 1-2 days (shorter than Stage 2) but still rigorous. Auditors expect to see evidence of ongoing operation, not just maintained documentation.

Cost: €1.500-€5.000 per surveillance audit, depending on organisation size and complexity.

Key activities for maintaining certification

1. Monitor controls continuously

Preventive controls: Ensure they stop incidents before they happen

  • Firewalls and network segmentation remain properly configured (quarterly reviews)

  • Encryption implementations stay current (algorithm deprecation tracking)

  • Access restrictions enforced (MFA working, password policies active)

  • Patching schedules maintained (critical patches within 30 days, regular patches within 90 days)

  • Physical security measures operating (badge access working, visitor logs complete)

  • Security awareness training delivered on schedule (annual minimum, quarterly preferred)

Detective controls: Ensure they identify when preventive controls fail

  • Log monitoring active and reviewed (daily for critical systems, weekly for others)

  • Intrusion detection/prevention systems functioning (alerts investigated within SLA)

  • Vulnerability scanning regular (monthly minimum for internet-facing systems)

  • Access review processes followed (quarterly minimum, evidence documented)

  • Incident reporting mechanisms working (staff know how to report, incidents logged)

  • Audit trails complete and protected (logs retained per policy, integrity verified)

Corrective controls: Ensure problems are fixed effectively

  • Incident response procedures tested (annual minimum, tabletop or simulation)

  • Backup restoration verified (quarterly minimum with documented evidence)

  • Patch deployment successful (monitoring shows patches applied)

  • Business continuity plans tested (annual minimum with lessons learned documented)

  • Corrective actions from audits completed (tracked to closure with evidence)

  • Disaster recovery procedures exercised (annual minimum, recovery time tested)

Monitoring metrics: Track meaningful indicators

  • Security incidents by type, severity, and response time

  • Vulnerability remediation time by criticality

  • Training completion rates and assessment scores

  • Access review completion within deadlines

  • Backup success rates and restoration test results

  • Patch compliance percentages

  • Policy exception requests and approvals

  • Control effectiveness measures

2. Conduct regular internal audits

Frequency: At minimum, audit entire ISMS annually. Better practice: quarterly audits covering different areas.

Scope planning: Ensure full ISMS coverage over time while focusing on:

  • High-risk areas (increased frequency)

  • Areas with previous findings (verify corrective actions)

  • New or changed processes (early verification)

  • Areas not audited recently (rotation)

Audit programme maintenance:

  • Update audit schedule annually

  • Train internal auditors or refresh external auditor knowledge

  • Rotate auditors to get fresh perspectives

  • Document audit results thoroughly

  • Track findings to closure

  • Report to management regularly

Compare documented vs actual practice:

  • Do staff follow procedures as written?

  • Are procedures realistic and current?

  • Has process drift occurred? (Common after staff changes)

  • Are new risks being addressed?

  • Is evidence being created and retained?

3. Document improvements and lessons learned

Incident learning: Every security incident or near-miss is an opportunity

  • What happened and why?

  • Which controls failed or were missing?

  • What would prevent recurrence?

  • Feed learnings into risk assessment

  • Update procedures or add controls

  • Share lessons across organisation (anonymised if needed)

Corrective action tracking:

  • Maintain register of all actions from audits, incidents, and reviews

  • Assign clear ownership and deadlines

  • Monitor progress and chase overdue actions

  • Verify effectiveness after implementation

  • Document completion evidence

  • Report status to management reviews

Statement of Applicability maintenance:

  • Review at least annually or after significant changes

  • Add controls for new risks

  • Update implementation status as controls mature

  • Revise justifications if context changes

  • Remove obsolete controls with rationale

  • Keep evidence references current

Risk register updates:

  • Reassess risks annually minimum

  • Trigger reassessment after major changes (new systems, incidents, business changes, regulatory updates)

  • Track risk trends over time (are risks increasing or decreasing?)

  • Adjust treatments as risk profiles change

  • Document risk acceptance decisions

  • Report material changes to management

4. Maintain training and awareness

New employee onboarding:

  • Security awareness training within first week

  • Role-specific training within first month

  • ISMS introduction covering policies and procedures

  • Clear explanation of security responsibilities

  • Acceptable use policies acknowledged

  • Contact points for questions or incidents

Existing staff refresher training:

  • Annual security awareness minimum (quarterly better)

  • Policy updates communicated immediately

  • Emerging threat briefings (phishing campaigns, new malware)

  • Incident lessons shared organisation-wide

  • Role-specific updates as procedures change

  • Simulated exercises (phishing tests, incident scenarios)

Training effectiveness measurement:

  • Completion rates tracked (target: >95%)

  • Assessment scores recorded (identify knowledge gaps)

  • Phishing simulation results (track improvement over time)

  • Incident response exercise performance

  • Feedback surveys (is training relevant and useful?)

  • Observable behaviour changes (fewer incidents, better reporting)

Preventing complacency:

  • Vary training delivery methods (e-learning, workshops, briefings)

  • Use real examples relevant to organisation

  • Make training engaging, not just compliance checkbox

  • Recognise good security behaviours

  • Share success stories

  • Create security champions network

Example: Maintaining certification through change

Scenario: Eighteen months after certification, organisation adopts new cloud-based CRM system.

Maintaining camp activities:

Month 1: Plan

  • Risk assessment updated for cloud CRM (RA-2026-05)

  • New risks identified: data residency, third-party access, API security

  • Risk treatment plan developed with controls mapped to SoA

  • Cloud provider security assessment conducted

  • Data classification reviewed (customer data = High sensitivity)

Month 2: Do

  • MFA implemented for CRM access (A.9.4)

  • Encryption at rest and in transit configured (A.10.1)

  • Access controls configured following least privilege (A.9.2)

  • Logging integrated with SIEM (A.12.4)

  • Backup procedures established and documented (A.12.3)

  • Contractual security requirements agreed with cloud provider (A.15)

Month 3: Check

  • Internal audit conducted covering CRM security controls

  • Backup restoration test successful

  • User access review completed (all access appropriate)

  • Log monitoring confirmed working

  • Staff training completion verified (92% complete)

Month 4: Act

  • Audit finding: 8% staff not yet trained (minor nonconformity)

  • Corrective action: Remaining training scheduled and completed

  • Process improvement: Automated training assignment for new systems

  • Management review: CRM security status reported, additional monitoring budget approved

Surveillance audit (Month 6):

  • Auditor reviews CRM security as part of new systems sampling

  • Finds complete risk assessment, implemented controls, training evidence

  • Notes positive: proactive approach to new technology adoption

  • No findings related to CRM

  • Certificate maintained

This demonstrates the PDCA cycle in action during organisational change.

Planning the next expedition: Recertification

ISO 27001 certificates are valid for three years. At the end of this period, a recertification audit is required. This is similar to your initial Stage 2 audit: a full review of the entire ISMS.

Understanding recertification

What it involves: Comprehensive review similar to initial Stage 2 certification audit

  • Full ISMS assessment (not sampling like surveillance audits)

  • All Annex A controls in scope reviewed

  • Management system effectiveness evaluated

  • Three years of operation examined

  • Evidence of continuous improvement required

  • Typically 2-5 days depending on organisation size

When it happens: Approximately 36 months after initial certification or previous recertification

Why it’s needed: Verifies that over the 3-year cycle:

  • ISMS remained effective continuously

  • You maintained conformance throughout

  • Continuous improvement occurred (not just maintained status quo)

  • Organisation evolved appropriately with changing risks

  • Surveillance findings were addressed effectively

Cost: Similar to initial Stage 2 audit (€3.000-€10.000 typically)

Preparing for recertification

Start planning 6-12 months before recertification is due. This is not a scramble to fix everything. It is about demonstrating three years of good practice.

Review lessons learned from initial certification and surveillance audits:

  • What findings occurred repeatedly?

  • Which areas always audit smoothly?

  • What has improved over three years?

  • What challenges remain unresolved?

  • What would you do differently if starting fresh?

Assess three-year trends:

  • Is the ISMS more mature than three years ago? (It should be)

  • Have incident numbers and severity decreased? (Security improving?)

  • Are internal audit findings trending down? (Processes stabilising?)

  • Is training effectiveness improving? (Better awareness?)

  • Are corrective actions completed faster? (More responsive?)

Conduct comprehensive ISMS review:

  • Reassess all risks: Has the threat landscape changed? New technologies? Business changes?

  • Review all controls: Still appropriate? New gaps? Better alternatives available?

  • Update all policies and procedures: Reflect current practice? Still relevant?

  • Verify all evidence is current: Nothing older than 12 months for recurring activities

  • Check Statement of Applicability: All 93 controls addressed? Justifications still valid?

Adjust for business evolution:

  • Scope changes: New locations? New services? New partnerships?

  • Technology changes: Cloud adoption? New systems? Retired legacy systems?

  • Regulatory changes: GDPR updates? NIS2? Industry-specific regulations?

  • Organisational changes: Mergers? Restructuring? New business lines?

Consider expanding ambitions:

  • Broader scope: Include additional business units or processes

  • Additional certifications: ISO 27017 (cloud), ISO 27018 (privacy), ISO 27701 (PIMS)

  • Integration: Combine with ISO 9001 (quality) or ISO 14001 (environmental)

  • Maturity improvement: Move from reactive to proactive to adaptive security posture

Example: Three-year evolution

Year 1 (newly certified):

  • ISMS operating, processes followed, some rough edges

  • Internal audits finding minor issues regularly

  • Training completion 87%

  • Incident response tested once

  • Focus: Maintaining certification, learning the system

Year 2 (maturing):

  • Processes smoother, staff confident in procedures

  • Internal audit findings decreasing

  • Training completion 95%

  • Incident response tested quarterly, performance improving

  • Focus: Optimising processes, addressing recurring issues

Year 3 (preparing for recertification):

  • ISMS integrated into business operations

  • Internal audits mostly finding observations, few nonconformities

  • Training completion 98%, phishing click rate down from 15% to 3%

  • Incident response confident and fast

  • New cloud services added to scope with proper controls

  • Risk assessment methodology improved based on experience

  • Focus: Demonstrating improvement, expanding ambitions

Recertification audit:

  • Auditor sees clear three-year improvement trend

  • Evidence of continuous improvement throughout cycle

  • ISMS adapted to business changes appropriately

  • Strong security culture evident

  • Certificate renewed for another three years

  • Organisation confident and capable

The PDCA embodiment

The flag stage represents the complete Plan-Do-Check-Act cycle in continuous operation:

Plan: Strategic direction

Annual activities:

  • Review and update information security objectives

  • Assess changing business context and interested parties

  • Update risk assessment for new threats and vulnerabilities

  • Plan control improvements and enhancements

  • Budget for security investments

  • Set targets for coming year

Triggered activities:

  • Risk reassessment after significant changes

  • Control selection for new risks

  • Procedure development for new processes

  • Training programme updates

Do: Implementation and operation

Ongoing activities:

  • Implement and operate security controls

  • Deliver security awareness training

  • Process daily operations following procedures

  • Respond to and resolve security incidents

  • Manage suppliers and third parties

  • Maintain systems and infrastructure

Project activities:

  • Implement new controls or technologies

  • Roll out updated procedures

  • Conduct improvement initiatives

  • Address corrective actions from audits

Check: Monitoring and evaluation

Continuous monitoring:

  • Security event logs reviewed

  • Control effectiveness measured

  • Performance indicators tracked

  • Compliance monitored

Periodic assessment:

  • Internal audits (quarterly recommended)

  • Management reviews (quarterly minimum)

  • Surveillance audits (annual, conducted by certification body)

  • Process effectiveness reviews

Reactive assessment:

  • Incident investigations

  • Near-miss analysis

  • Finding verification after corrective actions

Act: Improvement and adaptation

Addressing nonconformities:

  • Corrections (fix the immediate problem)

  • Corrective actions (address root cause)

  • Verification (ensure solution worked)

Continuous improvement:

  • Process optimisation

  • Control enhancement

  • Technology upgrades

  • Procedure simplification

  • Automation opportunities

Adaptation:

  • Responding to changing business needs

  • Addressing emerging threats

  • Adopting new technologies

  • Expanding scope

  • Maturing capabilities

The PDCA cycle never stops. Each iteration builds on previous learning, creating upward spiral of improvement rather than static maintenance.

Staying on the summit: Key success factors

Maintaining ISO 27001 certification long-term requires more than meeting requirements. It requires embedding security into organisational culture.

What successful organisations do differently

Leadership commitment remains visible:

  • Management reviews are meaningful, not box-ticking

  • Security investments approved when justified

  • Leadership discusses security regularly

  • Tone from the top reinforces importance

  • Security integrated into strategy discussions

Security becomes “how we work”:

  • Staff see security as enabler, not barrier

  • Procedures followed because they make sense, not just because they’re required

  • Security champions emerge naturally across departments

  • People proactively identify and report risks

  • Security thinking integrated into decision-making

Documentation stays relevant:

  • Policies updated when practices change

  • Procedures reflect reality

  • No “shelf-ware” (documents no one uses)

  • Easy to find and understand

  • Version control maintained

Learning culture established:

  • Incidents analysed without blame

  • Near-misses reported and learned from

  • Audit findings welcomed as improvement opportunities

  • Failures discussed openly

  • Success celebrated and shared

Continuous improvement embedded:

  • Regular small improvements rather than occasional big changes

  • Innovation encouraged within security framework

  • Feedback mechanisms working

  • Metrics driving decisions

  • Proactive rather than reactive

Resource allocation appropriate:

  • Security staffing matches organisation size and complexity

  • Budget sufficient for tools and training

  • Time allocated for security activities

  • Competing priorities balanced sensibly

Common pitfalls to avoid

Certification complacency: Treating certificate as finish line rather than checkpoint. Result: Surveillance audit findings increase, controls degrade, certificate at risk.

Audit-driven only: Only acting when audit is approaching. Result: Reactive rather than proactive, missed opportunities, expensive last-minute fixes.

Documentation drift: Procedures become outdated, inconsistent with practice. Result: Audit findings, staff confusion, ineffective controls.

Turnover impacts: Key people leave, knowledge walks out door. Result: Processes break down, institutional knowledge lost, capability gaps.

Resource starvation: Security budget cut, staff reassigned. Result: Controls fail, incidents increase, certification difficult to maintain.

Stagnation: No improvement over years, minimal engagement. Result: ISMS becomes irrelevant, fails to address emerging threats, eventual non-conformance.

Compliance theatre: Following processes mechanically without understanding or caring why. Result: Brittle system that fails under real pressure despite looking good on paper.

Outcome: Vigilance and readiness

Planting the flag is a significant achievement worthy of celebration. ISO 27001 certification demonstrates to your organisation, customers, partners, and regulators that you take information security seriously and manage it systematically.

But the flag is not permanent. It requires constant attention. The summit proves you could climb the mountain. Staying there proves you can maintain altitude in changing conditions.

What vigilance looks like in practice

Daily: Controls operating, logs reviewed, incidents handled, staff following procedures

Weekly: Metrics reviewed, emerging issues identified, quick wins implemented

Monthly: Control effectiveness assessed, trend analysis conducted, minor improvements made

Quarterly: Internal audits conducted, management reviews held, objectives reviewed, training delivered

Annually: Risk assessment updated, policies reviewed, surveillance audit passed, achievements celebrated

Three-yearly: Recertification successful, scope expanded, maturity improved, next cycle planned

The mountain awaits

The information security landscape never stops changing:

  • New threats emerge constantly (ransomware variants, supply chain attacks, AI-enabled threats)

  • Technology evolves rapidly (cloud, AI/ML, IoT, quantum computing)

  • Regulations tighten (GDPR enforcement, NIS2, sector-specific requirements)

  • Business needs shift (digital transformation, remote work, new markets)

  • Expectations increase (customers, partners, insurers demanding more)

Your ISMS must evolve with these changes. The certification provides the framework and discipline to adapt systematically rather than reactively.

The summit is proof of past achievement. Staying there requires future commitment.

Your organisation has demonstrated the capability to climb the mountain. Now demonstrate the maturity to remain at the peak through ongoing vigilance, continuous improvement, and readiness for whatever challenges emerge.

The flag flies proudly. Keep it flying through dedication, attention, and the systematic approach that got you here in the first place.

Let’s meet at the flag to analyse outcomes, and plan the next leg of your information security journey.