# ISO 27001 ISMS Annual Maintenance & Surveillance Audit Prep

> Prepare for annual ISO 27001 surveillance audits by reviewing and updating existing ISMS documents. Scans documents for freshness, assesses organizational changes, performs delta risk re-assessment, updates SoA, reconciles CAPAs from prior audits, assembles surveillance audit evidence pack, scores audit readiness across 10 dimensions, and produces a year-over-year ISMS health report. Designed for certified organizations maintaining their ISMS between recertification cycles.



Tags: ISO 27001, ISMS, Annual Review, Surveillance Audit, Maintenance, PDCA, GRC, Compliance


## Example Prompts

- Prepare for our ISO 27001 Year 1 surveillance audit
- Scan our ISMS documents for annual review freshness
- Reconcile open CAPAs from our last internal audit and surveillance findings
- Score our surveillance audit readiness
- Generate an annual ISMS health report with year-over-year metrics
- Update our risk assessment and SoA for organizational changes this year

URL: https://rakenne.app/skills/iso27001-annual-maintenance/index.md

Try this skill: https://rakenne.app/a/?skill=iso27001-annual-maintenance



## Overview

Prepare for annual ISO 27001 surveillance audits by reviewing and updating existing ISMS documents. Unlike the initial certification skills that create documents from scratch, this skill reviews existing artifacts, identifies what changed, and prepares evidence for the audit.

Surveillance audits sample a subset of clauses and Annex A controls each year. By Year 3 (recertification), the full ISMS must have been audited. This skill ensures audit-readiness throughout the 3-year certification cycle.

For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the [**ISO 27001 ISMS workspace tutorial**](/learn/tutorials/iso27001-isms-workspace-guide/).

### What It Covers

- **Document freshness scanning** — identifies ISMS documents overdue for review with Green/Amber/Red status based on last-modified dates
- **Organizational change assessment** — classifies changes (personnel, technology, process, facility, third-party, regulatory) by ISMS impact level and maps to affected documents and controls
- **Delta risk re-assessment** — updates the risk register for new, changed, and closed risks without re-doing the full assessment
- **SoA annual update** — reviews control implementation status, evidence references, and inclusion/exclusion justifications
- **CAPA reconciliation** — cross-references CAPAs from internal audits, surveillance findings, and incident reports; validates closure and effectiveness
- **Surveillance audit evidence pack** — assembles control-by-control evidence indexed by clause and Annex A reference
- **Readiness scoring** — evaluates 10 weighted dimensions to produce an overall readiness score (0–100)
- **Year-over-year health report** — compares ISMS metrics against prior year baseline to demonstrate continual improvement

### Output Documents

| Document | Purpose |
|----------|---------|
| ISMS Health Check Report | Document freshness scan, organizational changes, scope validity |
| Delta Risk Assessment | New/changed/closed risks with updated treatments |
| Risk Treatment Plan Update | Updated treatment decisions per Clause 6.1.3(e) |
| SoA Annual Update | Control status changes, evidence updates, inclusion/exclusion justifications |
| CAPA Reconciliation Report | Closure status, effectiveness validation, NC trend analysis |
| Surveillance Audit Evidence Pack | Evidence index organized by clause and control |
| Surveillance Audit Readiness Checklist | 10-dimension readiness assessment with RAG status |
| ISMS Annual Health Report | Year-over-year metrics, PDCA summary, executive overview |

## Example Conversation

> **You:** We need to prepare for our Year 1 surveillance audit. We were certified 11 months ago. Our CISO resigned in January, we migrated to AWS, and we opened a new office in Berlin.
>
> **Agent:** I'll help you prepare for the Year 1 surveillance audit. Let me start by scanning your ISMS documents for freshness, then we'll assess how those organizational changes affect your ISMS.
>
> Running `document_freshness_scanner`...
>
> **ISMS Document Freshness Scan — 18 documents found:**
>
> | Document | Category | Status | Days Ago |
> |----------|----------|--------|----------|
> | Organization Profile | Context | RED | 340 |
> | ISMS Scope | Context | RED | 335 |
> | Risk Assessment / Register | Planning | AMBER | 280 |
> | IS Policy / ISMS Manual | Policy | RED | 330 |
> | Access Control | Policy | AMBER | 210 |
> | Supplier Security | Policy | GREEN | 95 |
> | Internal Audit | Check | GREEN | 45 |
> | Management Review | Act | GREEN | 60 |
>
> **Freshness: 61% within review cycle** — 5 GREEN, 4 AMBER, 9 RED
>
> 9 documents are overdue for review. Now let me classify your organizational changes...
>
> Running `organizational_change_classifier`...
>
> **Changes classified — 1 High, 2 Medium impact:**
>
> | # | Change | Category | Impact | Affected Documents |
> |---|--------|----------|--------|-------------------|
> | 1 | CISO resigned | Personnel | High | Organization Profile, ISMS Roles, Access Control, Training Records |
> | 2 | AWS migration | Technology | Medium | Asset Inventory, Risk Assessment, SoA, Change Management, BCP/DR |
> | 3 | Berlin office opened | Facility | Medium | ISMS Scope, Physical Security, Asset Inventory, BCP/DR |
>
> **Critical**: The CISO resignation is a High-impact change. Controls A.6.1, A.6.2, A.6.5, A.5.2, and A.5.4 need verification. Has a replacement been appointed?
>
> **You:** Yes, we promoted our Security Manager to CISO in February. We also have 3 open CAPAs from the certification audit and 2 from the last internal audit.
>
> **Agent:** Good. Let me reconcile all CAPAs across the workspace...
>
> Running `capa_reconciliation_engine`...
>
> **CAPA Reconciliation — 5 CAPAs found across 3 files:**
>
> | Status | Count |
> |--------|-------|
> | Closed / Completed | 3 |
> | Open / In progress | 1 |
> | **Overdue** | **1** |
> | Closed without effectiveness review | 1 |
> | **Closure rate** | **60%** |
>
> **Overdue**: CAPA-003 (from certification audit) — "Implement network segmentation" — 47 days past due. This needs escalation — auditors will specifically check closure of prior findings.
>
> **Warning**: NC-002 was closed but has no effectiveness review. Clause 10.2 requires verifying corrective actions are effective. Schedule an effectiveness review before the audit.
>
> Shall I continue with the delta risk assessment for the AWS migration and Berlin office?
>
> **You:** Yes, and then score our overall readiness.
>
> **Agent:** I'll draft the delta risk assessment, then run the readiness scorer...
>
> Running `surveillance_readiness_scorer`...
>
> **Surveillance Audit Readiness: 62/100 — CONDITIONALLY READY**
>
> | Dimension | Score | Status |
> |-----------|-------|--------|
> | Document Currency | 40 | RED |
> | Risk Assessment Freshness | 70 | GREEN |
> | CAPA Closure Rate | 40 | RED |
> | Training Records | 70 | GREEN |
> | Control Evidence | 100 | GREEN |
> | Management Review | 100 | GREEN |
> | Policy Review | 40 | RED |
> | Incident Response Testing | 70 | GREEN |
> | Supplier Review | 70 | GREEN |
> | Measurement Program | 70 | GREEN |
>
> **3 dimensions need remediation before the audit:**
> 1. **Document Currency** — 9 documents overdue. Update or endorse each with "reviewed, no changes"
> 2. **CAPA Closure Rate** — 60% is below acceptable. Close CAPA-003 and schedule NC-002 effectiveness review
> 3. **Policy Review** — IS Policy hasn't been reviewed in 11 months. Review and endorse
>
> I'll generate all output documents now with specific remediation actions for each RED dimension.

## Sample Output Excerpt

Below is a representative excerpt from the generated ISMS Annual Health Report showing the year-over-year metrics comparison and PDCA cycle summary.

---

### Year-over-Year Metrics Comparison

| Metric | Prior Year (2024-2025) | Current Year (2025-2026) | Delta | Trend |
|--------|----------------------|------------------------|-------|-------|
| Total risks in register | 28 | 32 | +4 | Improved (better awareness) |
| High/Critical risks | 5 | 3 | -2 | Improved |
| CAPAs raised | 7 | 5 | -2 | Improved |
| CAPAs closed | 5 | 3 | -2 | Stable |
| CAPAs overdue | 2 | 1 | -1 | Improved |
| Security incidents | 4 | 2 | -2 | Improved |
| Training completion % | 85% | 92% | +7% | Improved |
| Policy review completion % | 70% | 88% | +18% | Improved |
| Internal audit findings | 8 | 5 | -3 | Improved |
| Major NCs | 1 | 0 | -1 | Improved |
| Minor NCs | 3 | 2 | -1 | Improved |
| Controls implemented | 78 | 82 | +4 | Improved |

**Improvement score**: 83% of metrics improved year-over-year

### PDCA Cycle Summary

#### Plan
- Updated risk register with 4 new risks from AWS migration and Berlin office expansion
- Revised ISMS scope to include Berlin location and AWS infrastructure
- Set IS objectives for 2026: zero major incidents, 95% training completion, full CAPA closure

#### Do
- Completed AWS migration with security controls (A.8.1, A.8.9, A.8.25)
- Deployed MFA for all remote access (A.8.5)
- Implemented physical security controls at Berlin office (A.7.1, A.7.2)
- Appointed new CISO; updated ISMS roles and responsibilities

#### Check
- Conducted internal audit covering Clauses 4-7 and Annex A.5-A.6 controls
- Completed management review with all Clause 9.3 inputs addressed
- Monitored 12 KPIs — 10 met target, 2 improving but below threshold
- Surveillance readiness score: 62/100 (conditionally ready)

#### Act
- Closed 3 of 5 CAPAs from prior audits
- Initiated corrective action for training completion gap (automated platform procurement)
- Escalated overdue network segmentation CAPA to CTO
- Identified 3 continual improvement initiatives for next cycle

### Surveillance Readiness

| Dimension | Score |
|-----------|-------|
| Overall readiness | 62/100 |
| Document currency | 61% |
| CAPA closure rate | 60% |
| Policy review completion | 88% |

**Next audit date**: 2026-04-15
**Certification body**: BSI
**Assessment**: Conditionally ready — address 3 RED dimensions before audit

<!-- /excerpt -->

## Extension Tools

### `document_freshness_scanner`

Scans the workspace for ISMS documents and reports their review freshness using a RAG status based on last-modified dates:

| Status | Criteria (12-month cycle) | Action |
|--------|--------------------------|--------|
| GREEN | Modified <6 months ago | Current — no action needed |
| AMBER | Modified 6–12 months ago | Review recommended — schedule soon |
| RED | Modified >12 months ago or missing | Overdue — update or endorse as current |

Recognizes 25 ISMS document types across Context, Planning, Policy, Check, Act, and Support categories. The review cycle length is configurable (default: 12 months).

### `organizational_change_classifier`

Classifies free-text organizational change descriptions by impact category and ISMS impact level:

| Category | Keywords Detected | Affected Documents | Typical Controls |
|----------|------------------|-------------------|-----------------|
| Personnel | hire, resign, CISO change, team restructure | Org Profile, Access Control, Training | A.6.1, A.6.2, A.6.5, A.6.7 |
| Technology | new system, cloud migration, decommission | Asset Inventory, Risk Assessment, SoA | A.5.9, A.8.1, A.8.8, A.8.9 |
| Process | new process, outsource, automation | ISMS Manual, Policies, Risk Assessment | A.5.1, A.5.37, A.8.32 |
| Facility | office move, new location, closure | ISMS Scope, Physical Security, BCP/DR | A.7.1, A.7.2, A.7.3, A.7.4 |
| Third-Party | new supplier, terminated contract | Supplier Security, Risk Assessment | A.5.19–A.5.23 |
| Regulatory | new regulation, NIS2, DORA, GDPR change | ISMS Scope, IS Policy, SoA | A.5.31–A.5.36 |

Impact levels (High/Medium/Low) are determined by keyword intensity. Each change maps to specific ISMS documents and Annex A controls requiring review.

### `delta_risk_validator`

Validates delta risk assessment entries have the required structure depending on their type:

| Risk Type | Required Fields | Severity if Missing |
|-----------|----------------|:-------------------:|
| **New** | Threat description | ERROR |
| **New** | Vulnerability description | ERROR |
| **New** | Impact assessment | ERROR |
| **New** | Likelihood rating | ERROR |
| **New** | Treatment decision | ERROR |
| **New** | Risk owner (Clause 6.1.2(d)(ii)) | ERROR |
| **Changed** | Change rationale (what and why) | ERROR |
| **Changed** | Updated impact or likelihood | WARNING |
| **Closed** | Closure justification | ERROR |
| **All** | Annex A control reference | WARNING |

Risks are identified by ID patterns (R-001, RISK-001) and automatically classified as new, changed, or closed based on surrounding context.

### `capa_reconciliation_engine`

Cross-references CAPAs from all audit reports, surveillance findings, and corrective action logs in the workspace:

| Check | Output |
|-------|--------|
| CAPA status (open/closed/overdue) | Summary counts with closure rate |
| Source tracking | Internal audit, surveillance, incident, CAPA log |
| Overdue detection | Days past target date; escalation list |
| Effectiveness review | Flags closed CAPAs without effectiveness verification |
| Premature effectiveness | Warns if effectiveness review occurred <90 days after implementation |

Produces a reconciliation report with source breakdown, overdue escalation list, and closed-without-effectiveness findings.

### `surveillance_readiness_scorer`

Evaluates surveillance audit readiness across 10 weighted dimensions:

| Dimension | Weight | Scoring Criteria |
|-----------|--------|-----------------|
| Document Currency | 15% | Policy/procedure files exist, have content, are fresh |
| Risk Assessment Freshness | 12% | Risk register/treatment files exist and are current |
| CAPA Closure Rate | 12% | CAPA/corrective action files show closures |
| Training Records | 8% | Training/awareness documents exist and are current |
| Control Evidence | 12% | SoA/evidence files show implementation status |
| Management Review | 10% | Review minutes exist with decisions and Clause 9.3 content |
| Policy Review | 8% | Policies show review dates and approval |
| Incident Response Testing | 8% | Drill/exercise/tabletop records exist |
| Supplier Review | 7% | Supplier assessment/evaluation records |
| Measurement Program | 8% | Monitoring/KPI/metric files exist |

Each dimension scores 0–100 based on: file exists (40%), has relevant content (30%), is fresh within 12 months (30%). Overall score is weighted average. Dimensions below 70% are flagged with specific remediation actions.

### `annual_metrics_comparator`

Compares 13 ISMS metrics between current and prior year:

| Metric | Direction | Interpretation |
|--------|-----------|---------------|
| Total risks | Higher is better | More risks = better awareness |
| High/Critical risks | Lower is better | Fewer high risks = improved posture |
| CAPAs raised/closed | Higher is better | More closures = active improvement |
| CAPAs overdue | Lower is better | Fewer overdue = better follow-through |
| Security incidents | Lower is better | Fewer incidents = better controls |
| Training completion % | Higher is better | Better coverage |
| Policy review % | Higher is better | Better governance |
| Audit findings, Major/Minor NCs | Lower is better | Fewer findings = maturing ISMS |
| Controls implemented | Higher is better | Better coverage |

Produces an improvement score (% of metrics that improved) and flags regression areas requiring management attention.

## Getting Started

Activate the *ISO 27001 ISMS Annual Maintenance & Surveillance Audit Prep* skill. This skill is designed for **already-certified organizations** — it updates existing ISMS documents rather than creating them from scratch. For best results, complete these prerequisite skills during initial certification:

1. **Organization Profile** — provides the organizational context baseline
2. **Risk Assessment** — provides the risk register and treatment plan to update
3. **Statement of Applicability** — provides the control status baseline
4. **ISMS Internal Audit Report** — provides audit findings and CAPAs to reconcile
5. **Monitoring, Measurement & Evaluation** — provides KPI data for year-over-year comparison
6. **Management Review** — provides prior review minutes and action tracker

Have this information ready:

- Your certification cycle position (Year 1 surveillance, Year 2, or recertification)
- Scheduled audit date and certification body name
- Organizational changes since the last audit or review (personnel, technology, process, facility, suppliers, regulatory)
- Prior audit reports with findings and corrective actions
- Previous year's ISMS metrics (risks, incidents, training rates, audit findings) for comparison

The agent guides you through a 12-step workflow: establish context, scan document freshness, assess organizational changes, check scope validity, perform delta risk assessment, update SoA, review policies, reconcile CAPAs, assemble evidence pack, score readiness, generate health report, and compile management review inputs.



---

Back to [Skill Library](https://rakenne.app/skills/index.md)