ISO 27001 · Guide
How Long Does ISO 27001
Certification Last?
An accredited ISO 27001 certificate is valid for three years from issue — provided you pass a surveillance audit in each of the first two years and complete a recertification audit before the expiry date. This guide walks the full cycle: what each audit checks, what ends a certificate early, and the timing traps that catch teams out.
Who issues what matters: certificates come from accredited certification bodies. Consultancies like Tranquility Cybersecurity prepare and coordinate the work — but the certificate, and the three-year clock, always belong to the CB.
Plain-English guide · Accredited-cycle rules · Last reviewed July 2026
An ISO 27001 certificate is valid for three years — but only if you keep earning it. Certification bodies run surveillance audits in years one and two, and a full recertification audit before the three-year mark. Miss or fail those, and the certificate can be suspended or withdrawn early. The three-year term is not a commercial choice by individual certification bodies: it is the standard cycle under the accreditation rules (ISO/IEC 17021-1) that govern how accredited CBs operate, which is why the pattern looks the same whichever accredited body issues your certificate. What varies is execution — when the audits land, how the sampling is planned, and how firmly deadlines are enforced. If you are still working toward the initial Stage 1 and Stage 2 audits, this page shows what the commitment looks like after the certificate arrives — because certification is less a finish line than a subscription your ISMS renews by staying in operation.
The Cycle
Three Years, Step by Step
Every accredited certificate follows the same anatomy. The dates shift with your audit calendar, but the sequence does not:
- Initial certification — a Stage 1 audit (documentation and readiness) followed by a Stage 2 audit (implementation and effectiveness). Pass both and the certification body issues a certificate with a three-year term.
- First surveillance audit — around the twelve-month mark. A lighter-touch visit confirming the ISMS is still operating, with a sample of clauses and controls plus a set of mandatory checks.
- Second surveillance audit — around the twenty-four-month mark. Same format, usually a different sample, so that most of the system gets touched at least once across the cycle.
- Recertification audit — in year three, scheduled so that the audit and the closure of any findings complete before the expiry date printed on the certificate.
- New certificate, new cycle — a successful recertification resets the three-year clock, and the pattern of two surveillance audits plus a recertification repeats for as long as you stay certified.
Worked example: a certificate issued on 15 March 2026 typically expires 14 March 2029. The first surveillance audit lands around March 2027, the second around March 2028, and the recertification audit should be booked for late 2028 — early enough that the audit, any corrective actions, and the certification decision all land before the March 2029 expiry. Surveillance audits are anchored to the certification date, so a delayed first audit does not push the expiry date back; it just compresses everything that follows.
One timing rule is worth knowing by name: under the accreditation requirements, the first surveillance audit must take place within twelve months of the certification decision — it is not a courtesy visit the certification body can wave through or postpone indefinitely. That is also why the certificate is issued by a decision, not by the audit itself: the auditor recommends, a separate reviewer inside the certification body decides, and the same decision step applies again at each recertification.
Audit Depth
What Surveillance Checks — and Recertification Re-Examines
A surveillance audit is deliberately not a repeat of Stage 2. The auditor works from a sampling plan — a rotating selection of clauses and Annex A controls chosen so that, across the two surveillance visits, most of the system gets examined at least once. A few items, however, are checked every single time: the internal audit programme, management review, how nonconformities and corrective actions have been handled, changes to the ISMS and its scope, progress against objectives, and your use of the certification mark and claims about certified status. Complaints from customers about the certified system are also fair game at every visit.
Recertification, by contrast, is a fuller re-examination. The auditor reviews the whole management system against every clause of the standard, looks at performance and effectiveness across the entire three-year cycle — incident trends, internal audit results, whether objectives were met — and re-confirms that the certified scope still matches what the organization actually does. In depth it sits close to the original Stage 2, though a separate Stage 1 is normally unnecessary unless the system or its scope has changed significantly.
The practical implication: the organizations that sail through surveillance are the ones that actually run the ISMS between visits — internal audits on schedule, management reviews held and minuted, risk assessments updated when the business changes, corrective actions closed rather than parked. Surveillance verifies operation over time. Paperwork created the week before the auditor arrives reads exactly like what it is.
Early Endings
How a Certificate Can End Before Year Three
The expiry date is a ceiling, not a guarantee. Certification bodies can — and do — suspend or withdraw certificates mid-cycle. The usual triggers:
- Unresolved major nonconformities — a major finding raised at surveillance or recertification that is not corrected within the deadline the certification body sets.
- Refusing or repeatedly deferring surveillance audits — no surveillance, no certificate. Accreditation rules do not let a certification body keep a certificate alive without conducting the audits behind it.
- Misusing the certification mark — claiming certification for services, locations, or products outside the certified scope, or using the mark and certificate in misleading ways, and not correcting it when challenged.
- Major scope failures — the certified system stops operating in practice: key processes dismantled, the ISMS abandoned, or the organization no longer able to demonstrate the scope it certified.
Suspension is a formal state, not a warning letter: while suspended, the certification is temporarily invalid and you cannot present yourself as certified. The certification body sets a deadline to resolve the underlying issue. Fix it in time — usually evidenced through a follow-up or special audit — and the certificate is reinstated for the remainder of its cycle. Miss the deadline and the certificate is withdrawn, at which point there is no reinstatement path: the route back is a fresh initial certification, Stage 1 and Stage 2 included.
There is also a middle path: scope reduction. If one part of the certified scope persistently fails the requirements — a product line, a location, a service — the certification body can carve that part out of the certificate rather than suspend the whole thing. The certificate survives, but narrower. For anyone relying on the certificate, this is precisely why the scope statement deserves a careful read: a certificate can be entirely valid and still no longer cover the thing you buy.
Timing
The Traps: Expiry, Lapses & Transfers
The most expensive misunderstanding in the whole cycle: recertification must complete before the expiry date — audit conducted, any major findings closed, certification decision made — not merely begin. Audit calendars fill up, findings take time to remediate, and decisions pass through a review step inside the certification body. Start the recertification process three to six months before expiry and none of this is drama; start it in the final weeks and you are gambling the certificate on scheduling luck.
If the certificate does expire, there is no grace period in which it quietly keeps working. An expired certificate is simply not valid: continuity is broken, the “certified since” date that reassures customers resets, and the way back is a new initial certification — Stage 1 and Stage 2 again, with the lead times that implies, and a gap in coverage that due-diligence questionnaires will notice.
One thing that does not break the cycle: changing certification bodies. Accredited transfer rules let a new accredited CB take over a valid certificate mid-cycle after a transfer review — confirming the certificate is genuine, in force, and free of unresolved major nonconformities. The new body honours the existing cycle and expiry dates, so switching does not restart the clock. It is not, however, an escape hatch: a suspended certificate, or one weighed down by open majors, is generally not transferable until the problems are resolved.
Standard Versions
When the Standard Itself Changes
A certificate is issued against a specific edition of the standard, and when a new edition is published, a coordinated transition window applies across accredited certification bodies. The recent example: certificates against ISO/IEC 27001:2013 had to migrate to the 2022 edition by 31 October 2025. That deadline has passed — every valid accredited certificate today is against ISO/IEC 27001:2022, and a certificate still citing 2013 has lapsed no matter what its printed expiry date says.
In practice, transitions are folded into the cycle rather than bolted on: most organizations migrate at a scheduled surveillance or recertification audit inside the window, with the auditor adding time to verify the new and changed requirements. The lesson for the next edition is the same as for this one — transition early in the window, when auditor capacity is plentiful, rather than in the final months when everyone else is booking the same audits.
Buyer’s Angle
How to Read a Certificate Before You Rely on It
Certificates arrive attached to RFP responses and vendor questionnaires, and most reviewers glance at the logo and move on. Five checks take two minutes and catch nearly everything:
- Issue and expiry dates — is today inside the three-year window? A certificate close to expiry is a fair prompt to ask where the recertification audit stands.
- The scope statement — does it actually cover the services, locations, and systems you are buying? Narrow scopes are the most common surprise hiding on an otherwise valid certificate.
- The accreditation mark — an accredited certificate carries the accreditation body’s mark alongside the certification body’s own. Unaccredited certificates exist, and they carry far less weight.
- The certification body’s register — most certification bodies publish an online directory of the certificates they have issued. Verify the status is current — not suspended or withdrawn — rather than trusting the PDF.
- The standard edition — a valid certificate today reads ISO/IEC 27001:2022. A certificate still citing the 2013 edition has lapsed regardless of the expiry date printed on it.
The same checklist, read from the other side, is a maintenance plan. Tranquility Cybersecurity has delivered 500+ audits preparing organizations for exactly these checkpoints — building the ISMS, running the readiness work, and coordinating surveillance and recertification with accredited certification bodies. The certificate itself always comes from the CB; keeping it valid for the full three years, cycle after cycle, is the part you can engineer. If you are earlier in the journey, start with who needs ISO 27001 and the certification guide.
Certificate Validity — Common Questions
How long certificates last, what surveillance involves, and what breaks the three-year cycle.
How long is an ISO 27001 certificate valid?
Three years from the date of issue, conditional on maintaining certification through the cycle: a surveillance audit around year one, another around year two, and a recertification audit completed before the expiry date. The three-year cycle is set by the accreditation rules (ISO/IEC 17021-1) that govern accredited certification bodies, so it is the same whichever accredited CB issues the certificate.
What happens in surveillance audits?
A lighter-touch audit, typically annual, that confirms the ISMS is still operating. The auditor samples a rotating selection of clauses and Annex A controls, and always checks a mandatory core: the internal audit programme, management review, handling of nonconformities and corrective actions, changes to the system and scope, and your use of the certification mark. It is shorter than the original Stage 2 but can still raise findings.
What if we fail a surveillance audit?
Findings are graded. Minor nonconformities need a corrective-action plan, verified at the next audit. Major nonconformities come with a deadline from the certification body — correct them in time (usually evidenced through follow-up review or a special audit) and the certificate continues. Left unresolved, a major leads to suspension, and continued failure to resolve it leads to withdrawal of the certificate.
Can a certificate expire early?
Yes. A certification body can suspend a certificate for unresolved major nonconformities, refusal or repeated deferral of surveillance audits, misuse of the certification mark, or a certified system that has effectively stopped operating. Suspension comes with a deadline: fix the issue and the certificate is reinstated; miss it and the certificate is withdrawn before its printed expiry date.
What does recertification involve?
A fuller re-examination near the end of the cycle: the whole management system against every clause of the standard, effectiveness over the full three years (audit results, incidents, objectives), and confirmation that the certified scope still matches reality. It must complete — findings closed, decision made — before the expiry date, and a successful recertification issues a new certificate for a new three-year cycle. Plan for it to start three to six months before expiry.
Can we switch certification bodies mid-cycle?
Yes. Accredited transfer rules allow a new accredited certification body to take over a valid certificate after a transfer review — checking the certificate is genuine, in force, and free of unresolved major nonconformities. The new body honours the existing cycle and expiry dates, so the three-year clock does not restart. Suspended certificates or those with open majors generally cannot transfer until the issues are resolved.
Related reading: the ISO 27001 hub, the step-by-step certification guide, who needs ISO 27001, the ISO 27001:2022 requirements, and what an ISMS is. More terms — including Surveillance Audit — in the compliance glossary.
Written By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours