Was ist der Drei-Jahres-Zertifizierungszyklus bei ISO 27001?

Der ISO 27001-Zertifizierungszyklus umfasst die Erstzertifizierung (Jahr 0), zwei jährliche Überwachungsaudits (nach 12 und 24 Monaten) und ein Rezertifizierungsaudit vor Ablauf der drei Jahre, das das Zertifikat um weitere drei Jahre erneuert.

Welche laufenden Aufrechterhaltungsmaßnahmen sind für ISO 27001 erforderlich?

Zu den kontinuierlichen Maßnahmen gehören interne Audits (mindestens jährlich), Managementbewertungen, Risikobewertung und Risikobehandlung, kontinuierliche Verbesserung, Überwachung und Messung sowie die Pflege der Dokumentation einschließlich der Erklärung zur Anwendbarkeit (SoA).

Wie unterstützt Kertos bei der ISO 27001-Rezertifizierung?

Kertos bietet stets audit-bereite Nachweise durch kontinuierliche Sammlung von Kontrollnachweisen, automatisiertes Risiko- und SoA-Management, geplante interne Audits und Managementbewertungen sowie expertengeführte Audit-Unterstützung mit einer 100%igen Audit-Erfolgsquote und 80% weniger manuellem Compliance-Aufwand.

How is ISO 27001 maintained and renewed (recertification)?

ISO 27001 certification is not a one-time achievement. A certificate is valid for three years, but it remains valid only if the organization keeps its Information Security Management System (ISMS) operating effectively and passes scheduled audits throughout that cycle. Maintenance and renewal happen on a fixed three-year rhythm.

The three-year certification cycle

Stage	When	What happens
Initial certification	Year 0	Stage 1 (documentation readiness review) and Stage 2 (implementation audit) lead to the certificate being issued.
1st surveillance audit	~12 months after certification	The certification body verifies the ISMS is still operating, reviews changes, and checks corrective actions. Scope is narrower than a full audit.
2nd surveillance audit	~24 months after certification	A second annual check confirming continued conformity and improvement.
Recertification audit	Before the 3-year expiry	A full reassessment of the entire ISMS, comparable in depth to the original Stage 2, that renews the certificate for another three years.

Ongoing maintenance activities (continuous, not just at audit time)

To stay certified between audits, an organization must demonstrate that the ISMS lives in day-to-day operations. Core recurring activities include:

Internal audits, at least annually, covering the full ISMS over the cycle.
Management reviews, where leadership formally reviews ISMS performance, objectives, and resources.
Risk assessment and treatment, where risks are reassessed when assets, threats, or the business change. The Statement of Applicability (SoA) is kept current.
Continual improvement, where nonconformities are logged, corrective actions tracked to closure, and lessons fed back in.
Monitoring and measurement, where controls (e.g., access reviews, incident handling, security awareness training) are evidenced on an ongoing basis.
Documentation upkeep, so policies, records, and evidence stay version-controlled and audit-ready.

Note on the current standard: the active version is ISO/IEC 27001:2022. Organizations certified under the older 2013 version were required to transition by 31 October 2025, so new and renewing certifications now follow the 2022 control set (93 Annex A controls).

How Kertos supports maintenance and recertification

Kertos treats compliance as a continuous outcome rather than a one-off project, which maps directly to the ISO 27001 maintenance cycle. Kertos combines an agentic compliance platform (KAIA) with accredited in-house experts who work alongside your team:

Always-audit-ready evidence: the platform continuously collects and maps control evidence, so surveillance and recertification audits don't trigger a last-minute scramble.
Automated risk and SoA management: risk assessments, treatment plans, and the Statement of Applicability stay live and updated as your environment changes.
Scheduled internal audits and management reviews: Kertos structures and tracks the recurring tasks the standard requires, with reminders and ownership built in.
Expert-led audit support: Kertos experts (including external CISO mandates) prepare you for surveillance and recertification audits and sit alongside you through them.

This model reflects Kertos's track record: a 100% audit pass rate, roughly 80% less manual compliance effort, and customers like AskUI reaching ISO 27001 certification in 2.5 months, then staying certified through the maintenance cycle without rebuilding their evidence base each year.

KNOW-HOW

Discover our Resources

Find useful whitepapers, videos, and practical tools to help you efficiently achieve your compliance goals.

Guide

InfoSec

ISO 27001: The Complete Guide to Certification in 2026

What the standard requires, how the audit actually works, and how to get certified without drowning in spreadsheets.

Jetz lesen

Article

Compliance

EU Data Sovereignty: Why Your Vendor Choice Is Now a Compliance Decision

European data residency is no longer enough. A new wave of EU sovereignty laws means the question is no longer where your data lives, but who controls the company that holds it.

Jetz lesen