top of page
AAA's logo
  • Facebook
  • Twitter
  • Linkedin
Search

How Often Do You Need ISO Audits (and What Do They Actually Involve Year to Year)?

  • Apr 29
  • 3 min read
Hand marking May 4 on a 2022 calendar with red pen. Background includes an open laptop, colorful folders, and a smartphone on a dark desk.

“We’ve got ISO certification… how often do we actually get audited now?”


It’s a question many businesses ask once they’ve achieved certification. The focus tends to be on getting through the initial audit, but what happens afterwards is just as important - and often less clearly understood.


There’s sometimes an assumption that once you’re certified, audits become less frequent or less detailed.


In reality, certification is an ongoing cycle.


Understanding how that cycle works helps you plan properly, avoid surprises, and keep your system running smoothly.


The short answer about ISO audits

ISO certification typically follows a three-year cycle:


  • Year 1 – Certification audit (Stage 1 + Stage 2)

  • Year 2 – Surveillance audit

  • Year 3 – Surveillance audit

  • End of Year 3 – Recertification audit


Then the cycle starts again.


So while the initial audit is the most intensive, you will still be audited every year.


What changes after certification?

After your initial certification, audits don’t stop - they just change in focus.


The emphasis shifts from:

“Do you have a system in place?”

to:

“Are you maintaining and using it properly?”


This is where many companies get caught out.


The expectation is that your system continues to operate consistently, not just at the point of certification.


What happens at surveillance audits

Surveillance audits usually take place once per year.


They are typically shorter than the initial certification audit, but they are still structured and detailed.


The auditor will often focus on specific areas of your system, rather than reviewing everything at once.


This might include:


  • key processes and controls

  • recent changes in the business

  • internal audits and management reviews

  • nonconformities and corrective actions

  • performance monitoring and objectives


Over the three-year cycle, all parts of your system will be covered.


What happens at recertification

At the end of the three-year cycle, a recertification audit takes place.


This is more comprehensive than a surveillance audit and is closer in scope to your original Stage 2 audit.


The aim is to confirm that your system:


  • is still effective

  • reflects your current operations

  • continues to meet the standard


If successful, your certification is renewed for another three-year cycle.


The common misunderstanding

One of the biggest misconceptions is that surveillance audits are “lighter” or less important.


While they may be shorter, they still assess whether your system is active and being maintained.


Common issues we see include:


  • systems not being updated as the business changes

  • internal audits not being carried out regularly

  • management reviews being overlooked

  • documentation drifting away from actual practice


These problems often build up gradually and only become visible at audit time.


The biggest mistake: switching off after certification

A pattern we see regularly is businesses putting a lot of effort into achieving certification, then reducing focus afterwards.


The system becomes something that is only revisited just before the next audit.


This often leads to:


  • rushed updates

  • gaps in records

  • unnecessary stress during audits


ISO works best when it is part of normal operations, not something that is “turned on” once a year.


How to make audits straightforward

The easiest way to manage ongoing audits is to keep the system active throughout the year.


In practical terms, that means:


  • carrying out internal audits at planned intervals

  • holding meaningful management reviews

  • keeping records up to date

  • making changes to the system as the business evolves


When this happens, surveillance audits tend to feel routine rather than disruptive.


Not sure what your audit cycle should look like?

Every organisation is slightly different, depending on size, complexity and the standards involved.


If you’re unsure how your audit cycle works - or whether your system is being maintained properly - it’s worth getting a clearer view.


You can use our free ISO readiness check to understand:


  • what your audit cycle should involve

  • where gaps typically appear

  • what you should focus on next



Final thought

ISO certification isn’t a one-off event.


It’s an ongoing cycle designed to make sure your system continues to work as your business grows and changes.


The more your system is embedded into day-to-day operations, the easier each audit becomes - and the more value you get from being certified.

 
 
 

Comments

bottom of page