Year 2, year 3 and recertification: the maintenance side of ISO 27001 cost

ISO 27001 certification is not a one-off event. The audit cycle is three years, with surveillance audits at months 12 and 24, and a full recertification audit at month 36 (or month 48 in the subsequent cycle). Surveillance audits are shorter than Stage 2 and test that the ISMS continues to operate as designed; recertification tests effectiveness across the full cycle.

Year-2 surveillance fees typically run at 30 to 40 percent of the initial Stage 2 fee. The day rate is usually locked in for the three-year cycle, but day count is set at audit time. Surveillance tests a sample of controls (typically 30 to 50 percent of Annex A in any given year) plus all mandatory clauses (4 to 10 of ISO 27001:2022).

What the auditor checks: management review evidence, internal audit programme outputs, risk treatment progress, control effectiveness for the sampled set, change management and corrective actions from year 1. Surveillance is materially less prescriptive than Stage 2 but failures still result in non-conformities that require closure before the next surveillance.

What the internal team must prepare: management review pack (mandatory annual), internal audit programme report, risk treatment status, evidence pack for sampled controls. Total internal effort typically runs 60 to 100 hours for a 50 to 250 FTE organisation.

Year-3 surveillance is structurally similar to year-2, with a different sample of controls. Cost shape is roughly identical unless ISMS scope has changed. The single most-common cost surprise in year 3 is scope expansion: a subsidiary acquired since certification, a new product line in scope, or a regulatory change requiring control additions.

Recertification is a Stage 2-equivalent audit, often without a separate Stage 1. Day count is typically 70 to 90 percent of the original Stage 2; the saving on Stage 1 is offset by the broader control sample. The audit additionally reviews effectiveness of the ISMS across the full three-year cycle, not just the past 12 months.

Internal preparation for recertification is materially heavier than surveillance: typically 100 to 180 hours for a 50 to 250 FTE organisation, covering refreshed risk assessment, documented effectiveness review, three-year management review composite, and full internal audit programme report.

The continuing internal cost of operating an ISO 27001 ISMS is the line that most cost-of-ownership analyses miss. ISMS lead time, internal audit programme staffing and tooling subscription persist across the cycle.

Three scenarios pulled across pillars to give a clean three-year view. Each is consistent with the company-size sanity checks on the small business and enterprise pages.

The most-recent material change to ISO 27001 was the 2022 revision, with a transition window that closed October 2025. Organisations certified to ISO 27001:2013 were required to transition by then; the transition itself typically added a 10 to 25 percent uplift to a surveillance audit if performed alongside one. No further revision has been announced at time of writing (April 2026), but a revision is on the horizon and worth tracking. We will update this page when a material revision is published, not for cosmetic date bumps.

For the underlying audit-fee day rates that drive surveillance cost, see the audit fees page. For the GRC platform that persists across the cycle, see the tooling page. To plug your specific company size into a three-year TCO, use the calculator.