By the time the second surveillance audit (SA2) lands on the calendar, the original certification team has usually moved on, the ISMS has accumulated drift, and the recertification audit is close enough to feel real. SA2 is where certification bodies start asking harder questions — not because the auditor has become hostile, but because the rotation now covers the parts of the ISMS the first surveillance left alone, and because thirteen months of operational reality have either reinforced the system or quietly hollowed it out.
This playbook is for the security or GRC lead running their first SA2, or running a second-cycle SA2 for an organization that scraped through the first one. It covers what auditors actually sample at SA2, the failure patterns that recur across certification bodies, and the operational cadence that turns a surveillance audit from an annual fire drill into a status check.
What SA2 Actually Tests
ISO/IEC 27001 certificates are valid for three years, with mandatory annual surveillance audits between the initial certification and recertification. The cycle is structured so the certification body — accredited by bodies like UKAS or ANAB — can maintain confidence that your ISMS continues to operate, without re-running the full Stage 2.
The mechanical scope is narrower than initial certification. Surveillance audits are shorter in duration and sample-based: auditors test a sampled set of controls rather than every control in the ISMS, with the time calculated from a UKAS or IAF formula based on headcount, scope, and risk. But the framing matters more than the duration.
At SA1, auditors are checking whether the ISMS that just got certified is still operating. At SA2, they’re checking something subtler: whether the ISMS has kept up with the business. Two specific things change. First, the auditor will deliberately rotate to processes, departments, and sites not covered at the first surveillance, so that full ISMS coverage is achieved across the three-year period. Second, the auditor knows recertification is one year out, and any pattern of drift visible at SA2 will be cited at recertification with interest.
Mandatory areas reviewed at every surveillance audit include: the status of nonconformities from the previous audit, the internal audit programme, the management review, the risk assessment, the information security objectives, and a sample of Annex A controls — rotated between SA1 and SA2 to cover different areas. Skip any one of these in your prep and you will produce a finding.
The Findings That Recur
Most SA2 findings are not exotic. They cluster in a small number of categories that practitioners and certification bodies report consistently. Knowing the list before the auditor arrives is half the preparation.
Internal audit programme not completed. This is the most frequent finding. Many organisations conduct one internal audit in preparation for initial certification and then let the audit programme lapse, so by SA1 a full 12-month period has elapsed and no internal audit has taken place. By SA2, the gap has often widened. ISO 27001 Clause 9.2 requires a planned internal audit programme, not a single annual event, and the auditor will ask to see the schedule, the audit reports, and evidence that findings flowed into corrective action.
Management review skipped or thin. Clause 9.3 specifies the inputs that must be addressed, including changes in external and internal issues, feedback on information security performance, the status of nonconformities, and risk assessment results. Findings here are common where minutes capture attendance but not substance — meetings happened, but the required inputs are missing from the record.
Risk assessment unchanged since implementation. If the business has shifted — new products, new SaaS, new suppliers, M&A activity, a cloud migration — and the risk register still reflects the world at Stage 2, the ISMS is no longer reflecting reality. Risk assessment not updated following changes is consistently one of the most common findings at surveillance.
Statement of Applicability drift. The SoA must align with the risk register. Reusing an SoA from a previous certification cycle without revisiting risks is one of the fastest ways to create inconsistency and nonconformities, and excluding controls with “not applicable to our business” rather than a real risk-based justification cascades into multiple findings across Clause 6 and Annex A.
Unclosed findings from SA1. A previously closed minor that wasn’t actually fixed at root cause is worse than a fresh finding. Recurring findings are viewed more seriously by auditors than first-time findings, as they indicate that corrective action was not effective. The SA2 auditor will pull the SA1 report and verify closure.
Policy hygiene. Unsigned or undated policies, version mismatches between the document register and the actual files in circulation, and policies that reference deprecated tools or org structures. Easy to fix, surprisingly common, and demoralizing to take as findings.
The Quarterly Cadence That Prevents the Scramble
The organizations that find SA2 routine are the ones that stopped treating compliance as an audit-driven activity. The ones that struggle treat it as exactly that. A defensible approach is to lock four predictable touchpoints into the calendar and run them whether anyone is asking or not.
A workable structure: Q1 for the annual management review and strategic planning, Q2 for the mid-year risk assessment review and policy updates, Q3 for the internal audit programme execution and finding resolution, Q4 for year-end performance assessment and surveillance audit preparation. Specific dates matter less than the discipline of producing the same artifacts on the same schedule every year.
The internal audit programme is worth explicit attention. A single internal audit in Q3 covering everything is allowed, but it produces a thin report and tends to repeat from year to year. Splitting the programme — Annex A controls in one quarter, clauses 4–10 in another, scope rotation matching the certification body’s rotation — produces deeper findings and gives the SA2 auditor a programme that visibly works.
SA2 Prep: A Six-to-Eight Week Working Backward
Once the audit date is on the calendar, the work is largely ordering and evidencing what already exists. If it doesn’t already exist, you have a different problem.
The single most leveraged hour of prep is a walkthrough of the SA1 report against current state. Open every finding — including observations and OFIs. For each, identify the documented closure, then verify the underlying behavior is still happening twelve months later. If an auditor logs an OFI, it’s probably best to address it before the next review — sometimes auditors dress up an NC as an OFI. Treating OFIs as low-priority is a common mistake.
The 2022 Transition Wrinkle
If your organization transitioned from ISO 27001:2013 to ISO 27001:2022 inside this certification cycle, SA2 is where the transition gets stress-tested. The 2022 standard contains 93 controls organized into four themes — organizational, people, physical, and technological — replacing the 114 controls across 14 domains in the 2013 version, with eleven new controls including A.5.7 Threat intelligence, A.5.23 Information security for use of cloud services, A.5.30 ICT readiness for business continuity, and A.8.9 Configuration management.
The transition deadline of 31 October 2025 has now passed, so any organization still certified holds a 2022 certificate. The audit-floor question at SA2 is not “did you map your old controls” but “is the SoA living, and does the risk register actually drive control selection.” Mapped-but-not-thought-through SoAs are visible to experienced auditors within the first hour.
The new controls also have predictable failure modes. A.5.7 Threat intelligence invites a finding when the organization claims to consume threat intel but cannot show how it feeds into risk decisions or detection engineering. A.5.30 ICT readiness for business continuity wants tested ICT continuity, not a BCP document. A.8.9 Configuration management wants baselines and drift detection, not a hardening guide that nobody operates against.
Responding to Findings Without Making Them Worse
Findings at SA2 are not failure. A small number of minor nonconformities will not generally prevent maintaining a certificate, while a single major nonconformity will prevent certificate maintenance until corrected. The mechanism that matters is corrective action under Clause 10.2.
The structured response is: correction (the immediate fix), root cause analysis, corrective action (the systemic fix), verification of effectiveness, and documented update to the ISMS. Auditors often issue minor nonconformities because organisations stop their analysis at “Human Error” — a 5 Whys exercise stopping at the first answer is not a root cause.
Submission timelines are typically 30 to 90 days for a corrective action plan and evidence, set by the certification body. The certificate remains valid during this window provided you respond in good faith. The trap is closing a finding cosmetically — updating a policy, ticking the box — without addressing the underlying process. That finding will recur at recertification, and recurring findings carry weight.
Frequently Asked Questions
How long does an SA2 actually take? Duration is calculated from the IAF/UKAS formula based on headcount, scope, and risk — not a fixed number of days. A small SaaS company with a tight scope may see one to two days on-site or remote. A multi-site organization with a complex scope may see four or more. The certification body issues an audit plan in advance.
Can SA2 be conducted remotely? Yes, in most cases, though certification bodies generally prefer at least some on-site time across the cycle. Multi-site scopes typically require a head office visit at every audit, with rotated sampling of other sites.
What happens if we miss an internal audit? It’s a finding, almost certainly minor unless the programme has lapsed entirely or repeats SA1’s finding. The corrective action needs to address why the programme stopped, not just “we did one now.” Auditors look for systemic causes — under-resourcing, ownership ambiguity, calendar drift.
Should we run a mock audit before SA2? Useful if SA1 produced multiple findings, if the ISMS has gone through significant change (M&A, scope expansion, new product lines), or if the team that ran initial certification is no longer in place. Otherwise the internal audit programme should be doing this work continuously.
What SA2 Is Really For
The certification body sees SA2 as a checkpoint, not a gate. It’s the last opportunity to surface drift before recertification, where the audit fully re-tests the ISMS and findings carry into the next cycle.
If you’re walking into SA2 with a current risk register, an SoA that maps to it, internal audits running on a real programme, management reviews that document the right inputs, and SA1 findings genuinely closed at root cause, the audit is a status check. If any one of those is missing, the audit becomes a discovery exercise, and SA2 will tell you what recertification will look like in twelve months. Either way, the audit is useful — but only one of those outcomes is comfortable.
