Overview
Prepare for annual ISO 27001 surveillance audits by reviewing and updating existing ISMS documents. Unlike the initial certification skills that create documents from scratch, this skill reviews existing artifacts, identifies what changed, and prepares evidence for the audit.
Surveillance audits sample a subset of clauses and Annex A controls each year. By Year 3 (recertification), the full ISMS must have been audited. This skill ensures audit-readiness throughout the 3-year certification cycle.
For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the ISO 27001 ISMS workspace tutorial .
What It Covers
- Document freshness scanning — identifies ISMS documents overdue for review with Green/Amber/Red status based on last-modified dates
- Organizational change assessment — classifies changes (personnel, technology, process, facility, third-party, regulatory) by ISMS impact level and maps to affected documents and controls
- Delta risk re-assessment — updates the risk register for new, changed, and closed risks without re-doing the full assessment
- SoA annual update — reviews control implementation status, evidence references, and inclusion/exclusion justifications
- CAPA reconciliation — cross-references CAPAs from internal audits, surveillance findings, and incident reports; validates closure and effectiveness
- Surveillance audit evidence pack — assembles control-by-control evidence indexed by clause and Annex A reference
- Readiness scoring — evaluates 10 weighted dimensions to produce an overall readiness score (0–100)
- Year-over-year health report — compares ISMS metrics against prior year baseline to demonstrate continual improvement
Output Documents
| Document | Purpose |
|---|---|
| ISMS Health Check Report | Document freshness scan, organizational changes, scope validity |
| Delta Risk Assessment | New/changed/closed risks with updated treatments |
| Risk Treatment Plan Update | Updated treatment decisions per Clause 6.1.3(e) |
| SoA Annual Update | Control status changes, evidence updates, inclusion/exclusion justifications |
| CAPA Reconciliation Report | Closure status, effectiveness validation, NC trend analysis |
| Surveillance Audit Evidence Pack | Evidence index organized by clause and control |
| Surveillance Audit Readiness Checklist | 10-dimension readiness assessment with RAG status |
| ISMS Annual Health Report | Year-over-year metrics, PDCA summary, executive overview |
Example Conversation
You: We need to prepare for our Year 1 surveillance audit. We were certified 11 months ago. Our CISO resigned in January, we migrated to AWS, and we opened a new office in Berlin.
Agent: I’ll help you prepare for the Year 1 surveillance audit. Let me start by scanning your ISMS documents for freshness, then we’ll assess how those organizational changes affect your ISMS.
Running
document_freshness_scanner…ISMS Document Freshness Scan — 18 documents found:
Document Category Status Days Ago Organization Profile Context RED 340 ISMS Scope Context RED 335 Risk Assessment / Register Planning AMBER 280 IS Policy / ISMS Manual Policy RED 330 Access Control Policy AMBER 210 Supplier Security Policy GREEN 95 Internal Audit Check GREEN 45 Management Review Act GREEN 60 Freshness: 61% within review cycle — 5 GREEN, 4 AMBER, 9 RED
9 documents are overdue for review. Now let me classify your organizational changes…
Running
organizational_change_classifier…Changes classified — 1 High, 2 Medium impact:
# Change Category Impact Affected Documents 1 CISO resigned Personnel High Organization Profile, ISMS Roles, Access Control, Training Records 2 AWS migration Technology Medium Asset Inventory, Risk Assessment, SoA, Change Management, BCP/DR 3 Berlin office opened Facility Medium ISMS Scope, Physical Security, Asset Inventory, BCP/DR Critical: The CISO resignation is a High-impact change. Controls A.6.1, A.6.2, A.6.5, A.5.2, and A.5.4 need verification. Has a replacement been appointed?
You: Yes, we promoted our Security Manager to CISO in February. We also have 3 open CAPAs from the certification audit and 2 from the last internal audit.
Agent: Good. Let me reconcile all CAPAs across the workspace…
Running
capa_reconciliation_engine…CAPA Reconciliation — 5 CAPAs found across 3 files:
Status Count Closed / Completed 3 Open / In progress 1 Overdue 1 Closed without effectiveness review 1 Closure rate 60% Overdue: CAPA-003 (from certification audit) — “Implement network segmentation” — 47 days past due. This needs escalation — auditors will specifically check closure of prior findings.
Warning: NC-002 was closed but has no effectiveness review. Clause 10.2 requires verifying corrective actions are effective. Schedule an effectiveness review before the audit.
Shall I continue with the delta risk assessment for the AWS migration and Berlin office?
You: Yes, and then score our overall readiness.
Agent: I’ll draft the delta risk assessment, then run the readiness scorer…
Running
surveillance_readiness_scorer…Surveillance Audit Readiness: 62/100 — CONDITIONALLY READY
Dimension Score Status Document Currency 40 RED Risk Assessment Freshness 70 GREEN CAPA Closure Rate 40 RED Training Records 70 GREEN Control Evidence 100 GREEN Management Review 100 GREEN Policy Review 40 RED Incident Response Testing 70 GREEN Supplier Review 70 GREEN Measurement Program 70 GREEN 3 dimensions need remediation before the audit:
- Document Currency — 9 documents overdue. Update or endorse each with “reviewed, no changes”
- CAPA Closure Rate — 60% is below acceptable. Close CAPA-003 and schedule NC-002 effectiveness review
- Policy Review — IS Policy hasn’t been reviewed in 11 months. Review and endorse
I’ll generate all output documents now with specific remediation actions for each RED dimension.
Sample Output Excerpt
Below is a representative excerpt from the generated ISMS Annual Health Report showing the year-over-year metrics comparison and PDCA cycle summary.
Year-over-Year Metrics Comparison
| Metric | Prior Year (2024-2025) | Current Year (2025-2026) | Delta | Trend |
|---|---|---|---|---|
| Total risks in register | 28 | 32 | +4 | Improved (better awareness) |
| High/Critical risks | 5 | 3 | -2 | Improved |
| CAPAs raised | 7 | 5 | -2 | Improved |
| CAPAs closed | 5 | 3 | -2 | Stable |
| CAPAs overdue | 2 | 1 | -1 | Improved |
| Security incidents | 4 | 2 | -2 | Improved |
| Training completion % | 85% | 92% | +7% | Improved |
| Policy review completion % | 70% | 88% | +18% | Improved |
| Internal audit findings | 8 | 5 | -3 | Improved |
| Major NCs | 1 | 0 | -1 | Improved |
| Minor NCs | 3 | 2 | -1 | Improved |
| Controls implemented | 78 | 82 | +4 | Improved |
Improvement score: 83% of metrics improved year-over-year
PDCA Cycle Summary
Plan
- Updated risk register with 4 new risks from AWS migration and Berlin office expansion
- Revised ISMS scope to include Berlin location and AWS infrastructure
- Set IS objectives for 2026: zero major incidents, 95% training completion, full CAPA closure
Do
- Completed AWS migration with security controls (A.8.1, A.8.9, A.8.25)
- Deployed MFA for all remote access (A.8.5)
- Implemented physical security controls at Berlin office (A.7.1, A.7.2)
- Appointed new CISO; updated ISMS roles and responsibilities
Check
- Conducted internal audit covering Clauses 4-7 and Annex A.5-A.6 controls
- Completed management review with all Clause 9.3 inputs addressed
- Monitored 12 KPIs — 10 met target, 2 improving but below threshold
- Surveillance readiness score: 62/100 (conditionally ready)
Act
- Closed 3 of 5 CAPAs from prior audits
- Initiated corrective action for training completion gap (automated platform procurement)
- Escalated overdue network segmentation CAPA to CTO
- Identified 3 continual improvement initiatives for next cycle
Surveillance Readiness
| Dimension | Score |
|---|---|
| Overall readiness | 62/100 |
| Document currency | 61% |
| CAPA closure rate | 60% |
| Policy review completion | 88% |
Next audit date: 2026-04-15 Certification body: BSI Assessment: Conditionally ready — address 3 RED dimensions before audit
Extension Tools
document_freshness_scanner
Scans the workspace for ISMS documents and reports their review freshness using a RAG status based on last-modified dates:
| Status | Criteria (12-month cycle) | Action |
|---|---|---|
| GREEN | Modified <6 months ago | Current — no action needed |
| AMBER | Modified 6–12 months ago | Review recommended — schedule soon |
| RED | Modified >12 months ago or missing | Overdue — update or endorse as current |
Recognizes 25 ISMS document types across Context, Planning, Policy, Check, Act, and Support categories. The review cycle length is configurable (default: 12 months).
organizational_change_classifier
Classifies free-text organizational change descriptions by impact category and ISMS impact level:
| Category | Keywords Detected | Affected Documents | Typical Controls |
|---|---|---|---|
| Personnel | hire, resign, CISO change, team restructure | Org Profile, Access Control, Training | A.6.1, A.6.2, A.6.5, A.6.7 |
| Technology | new system, cloud migration, decommission | Asset Inventory, Risk Assessment, SoA | A.5.9, A.8.1, A.8.8, A.8.9 |
| Process | new process, outsource, automation | ISMS Manual, Policies, Risk Assessment | A.5.1, A.5.37, A.8.32 |
| Facility | office move, new location, closure | ISMS Scope, Physical Security, BCP/DR | A.7.1, A.7.2, A.7.3, A.7.4 |
| Third-Party | new supplier, terminated contract | Supplier Security, Risk Assessment | A.5.19–A.5.23 |
| Regulatory | new regulation, NIS2, DORA, GDPR change | ISMS Scope, IS Policy, SoA | A.5.31–A.5.36 |
Impact levels (High/Medium/Low) are determined by keyword intensity. Each change maps to specific ISMS documents and Annex A controls requiring review.
delta_risk_validator
Validates delta risk assessment entries have the required structure depending on their type:
| Risk Type | Required Fields | Severity if Missing |
|---|---|---|
| New | Threat description | ERROR |
| New | Vulnerability description | ERROR |
| New | Impact assessment | ERROR |
| New | Likelihood rating | ERROR |
| New | Treatment decision | ERROR |
| New | Risk owner (Clause 6.1.2(d)(ii)) | ERROR |
| Changed | Change rationale (what and why) | ERROR |
| Changed | Updated impact or likelihood | WARNING |
| Closed | Closure justification | ERROR |
| All | Annex A control reference | WARNING |
Risks are identified by ID patterns (R-001, RISK-001) and automatically classified as new, changed, or closed based on surrounding context.
capa_reconciliation_engine
Cross-references CAPAs from all audit reports, surveillance findings, and corrective action logs in the workspace:
| Check | Output |
|---|---|
| CAPA status (open/closed/overdue) | Summary counts with closure rate |
| Source tracking | Internal audit, surveillance, incident, CAPA log |
| Overdue detection | Days past target date; escalation list |
| Effectiveness review | Flags closed CAPAs without effectiveness verification |
| Premature effectiveness | Warns if effectiveness review occurred <90 days after implementation |
Produces a reconciliation report with source breakdown, overdue escalation list, and closed-without-effectiveness findings.
surveillance_readiness_scorer
Evaluates surveillance audit readiness across 10 weighted dimensions:
| Dimension | Weight | Scoring Criteria |
|---|---|---|
| Document Currency | 15% | Policy/procedure files exist, have content, are fresh |
| Risk Assessment Freshness | 12% | Risk register/treatment files exist and are current |
| CAPA Closure Rate | 12% | CAPA/corrective action files show closures |
| Training Records | 8% | Training/awareness documents exist and are current |
| Control Evidence | 12% | SoA/evidence files show implementation status |
| Management Review | 10% | Review minutes exist with decisions and Clause 9.3 content |
| Policy Review | 8% | Policies show review dates and approval |
| Incident Response Testing | 8% | Drill/exercise/tabletop records exist |
| Supplier Review | 7% | Supplier assessment/evaluation records |
| Measurement Program | 8% | Monitoring/KPI/metric files exist |
Each dimension scores 0–100 based on: file exists (40%), has relevant content (30%), is fresh within 12 months (30%). Overall score is weighted average. Dimensions below 70% are flagged with specific remediation actions.
annual_metrics_comparator
Compares 13 ISMS metrics between current and prior year:
| Metric | Direction | Interpretation |
|---|---|---|
| Total risks | Higher is better | More risks = better awareness |
| High/Critical risks | Lower is better | Fewer high risks = improved posture |
| CAPAs raised/closed | Higher is better | More closures = active improvement |
| CAPAs overdue | Lower is better | Fewer overdue = better follow-through |
| Security incidents | Lower is better | Fewer incidents = better controls |
| Training completion % | Higher is better | Better coverage |
| Policy review % | Higher is better | Better governance |
| Audit findings, Major/Minor NCs | Lower is better | Fewer findings = maturing ISMS |
| Controls implemented | Higher is better | Better coverage |
Produces an improvement score (% of metrics that improved) and flags regression areas requiring management attention.
Getting Started
Activate the ISO 27001 ISMS Annual Maintenance & Surveillance Audit Prep skill. This skill is designed for already-certified organizations — it updates existing ISMS documents rather than creating them from scratch. For best results, complete these prerequisite skills during initial certification:
- Organization Profile — provides the organizational context baseline
- Risk Assessment — provides the risk register and treatment plan to update
- Statement of Applicability — provides the control status baseline
- ISMS Internal Audit Report — provides audit findings and CAPAs to reconcile
- Monitoring, Measurement & Evaluation — provides KPI data for year-over-year comparison
- Management Review — provides prior review minutes and action tracker
Have this information ready:
- Your certification cycle position (Year 1 surveillance, Year 2, or recertification)
- Scheduled audit date and certification body name
- Organizational changes since the last audit or review (personnel, technology, process, facility, suppliers, regulatory)
- Prior audit reports with findings and corrective actions
- Previous year’s ISMS metrics (risks, incidents, training rates, audit findings) for comparison
The agent guides you through a 12-step workflow: establish context, scan document freshness, assess organizational changes, check scope validity, perform delta risk assessment, update SoA, review policies, reconcile CAPAs, assemble evidence pack, score readiness, generate health report, and compile management review inputs.