Surveillance Audits and Recertification
Surveillance audits and recertification are the mechanisms by which accredited certification bodies verify that a certified organization continues to meet the requirements of a standard after the initial certificate is issued. Without these ongoing verification activities, a certificate issued at one point in time would carry no assurance beyond that moment. This page covers the definitions, operational mechanics, common use scenarios, and decision logic that govern surveillance and recertification cycles under frameworks such as ISO/IEC 17021-1 and related US-accredited certification programs.
Definition and scope
A surveillance audit is a periodic on-site or remote assessment conducted between the initial certification and the full recertification audit. Its purpose is to confirm that the certified management system remains implemented, effective, and compliant with the applicable standard's requirements. A recertification audit (also called a renewal audit) is a comprehensive reassessment conducted at the end of a certification cycle — typically a three-year cycle under ISO/IEC 17021-1 — and determines whether certification should be extended for another cycle.
Both activities are governed by ISO/IEC 17021-1:2015, published by the International Organization for Standardization (ISO), which sets competence and consistency requirements for bodies providing audit and certification of management systems. In the United States, accreditation bodies such as ANAB (ANSI National Accreditation Board) and A2LA (American Association for Laboratory Accreditation) evaluate certification bodies against ISO/IEC 17021-1 to confirm they are operating these cycles correctly — see ANAB and A2LA Accreditation Bodies for background on how accreditation oversight works.
The scope of surveillance covers the entire certified scope of the management system. Partial surveillance — reviewing only selected processes — is permitted under ISO/IEC 17021-1 §9.4 on a rotating basis, provided that the full scope is covered over the certification cycle and not just at recertification.
How it works
The structure of a typical three-year certification cycle under ISO/IEC 17021-1 follows this sequence:
- Initial certification audit (Stage 1 + Stage 2): The organization achieves certification after successfully completing both a document review stage and a full on-site assessment.
- First surveillance audit: Conducted no later than 12 months after the certification decision date (ISO/IEC 17021-1 §9.4.1). This audit focuses on key processes, internal audit results, corrective actions from prior findings, and management review outputs.
- Second surveillance audit: Conducted no later than 24 months after the certification decision date. Coverage should complement the first surveillance to ensure the full scope is addressed across the cycle.
- Recertification audit: Initiated before the three-year certificate expiry date — typically with enough lead time to resolve any nonconformities before expiry. The recertification audit reviews the entire management system, not just selected elements, and culminates in a new certification decision.
- Certificate renewal or withdrawal: Based on the recertification audit outcome, the certification body either issues a new three-year certificate or initiates suspension or withdrawal proceedings per its defined nonconformity handling procedures.
Remote audits, conducted via documented electronic means, became formally recognized in ISO/IEC 17021-1 under Annex A guidance and were further addressed by ISO/IEC 27006:2015 for information security management systems. Remote surveillance is accepted by accreditation bodies subject to documented justification and risk assessment.
Common scenarios
ISO 9001 Quality Management Systems: The most widely certified standard globally, with the ISO Survey 2022 reporting over 1.08 million certificates in force. Surveillance audits for ISO 9001 commonly focus on customer feedback data, corrective action effectiveness, and process performance metrics.
ISO 14001 Environmental Management Systems: Surveillance audits here typically examine legal compliance register updates, environmental objectives progress, and any significant operational changes that could alter environmental aspects and impacts.
ISO 45001 Occupational Health and Safety: The Occupational Safety and Health Administration (OSHA) does not mandate ISO 45001 certification, but organizations in high-hazard industries often pursue it voluntarily. Surveillance audits focus on incident investigation records, hazard identification processes, and competency evidence for safety-critical roles.
ISO/IEC 27001 Information Security Management Systems: The certification body uses surveillance audits to verify that the Statement of Applicability remains current, that risk treatment plans are being executed, and that internal audits are being conducted at planned intervals — all requirements under ISO/IEC 27001:2022 §9.2.
Multi-site organizations: Surveillance sampling plans for multi-site certificates follow the formulas specified in IAF MD 1:2018 (International Accreditation Forum Mandatory Document), which sets minimum site-sample sizes based on the total number of sites in scope. This creates a distinct audit planning requirement compared to single-site certificates — see Multisite Certification for the sampling methodology.
Decision boundaries
The distinction between surveillance and recertification is not merely procedural — it has direct consequences for certificate validity.
| Criterion | Surveillance Audit | Recertification Audit |
|---|---|---|
| Timing | ≤12 months and ≤24 months post-certification | Before three-year certificate expiry |
| Scope coverage | Partial (rotating), per audit plan | Full management system scope |
| Output | Continued certification (or nonconformity action) | New three-year certificate issued |
| Nonconformity deadline | Defined corrective action timeline | Must be closed before new certificate issued |
| Failure consequence | Suspension if unresolved (see Certification Suspension and Withdrawal) | Expiry without renewal |
A major nonconformity raised during a surveillance audit triggers a defined corrective action response period — typically 90 days under most certification body procedures, consistent with ISO/IEC 17021-1 §9.4.3. If the organization fails to close the nonconformity within the specified timeframe, the certification body must suspend the certificate. Suspension that remains unresolved beyond the body's documented maximum suspension period — commonly 6 months — must result in withdrawal.
Recertification audits that identify a major nonconformity before the certificate expiry date present a timing-critical decision boundary. The certificate cannot be renewed until the nonconformity is closed and verified. If the certificate expires before closure is achieved, the organization must reapply as if for initial certification, repeating Stage 1 and Stage 2 audits.
The compliance certification lifecycle provides the broader framework within which surveillance and recertification sit, including pre-certification readiness, initial audit sequencing, and certificate management obligations.
References
- ISO/IEC 17021-1:2015 — Conformity assessment: Requirements for bodies providing audit and certification of management systems
- ISO Survey of Certifications 2022
- IAF MD 1:2018 — IAF Mandatory Document for the Certification of Multiple Sites Based on Sampling
- ANSI National Accreditation Board (ANAB)
- American Association for Laboratory Accreditation (A2LA)
- International Accreditation Forum (IAF)
- ISO/IEC 27001:2022 — Information security management systems
- U.S. Occupational Safety and Health Administration (OSHA)