⏱︎ January 26th, 2026 | Fred Stewart
Click here to view all articles
You’re certified… what now? Well, the work doesn’t end there.
The moment the champagne is finished, your “Management System” officially shifts from a project to a lifestyle. Maintaining certification is about proving that your processes aren’t just written on paper but are alive and kicking in your daily operations.
The ISO Certification Cycle
ISO certificates need to be maintained, otherwise they won’t last. They (usually) operate on a three-year rolling cycle managed by your Certification Body. Each year, an audit occurs to monitor your adherence to the applicable ISO standard(s):
Year 1: Surveillance Audit 1. Typically, 12 months after your initial certification.
Year 2: Surveillance Audit 2. Another “check-up” to ensure everything is running properly.
Year 3: Recertification Audit. A full-system review to issue a brand-new 3-year certificate.
What’s the Difference Between Surveillance and Recertification?
A Surveillance Audit as a bit like a health check. The auditor won’t look at every single clause of the standard. Instead, they focus on core areas like management reviews, internal audits, and how you’ve handled any non-conformities from the previous year. It’s shorter and designed to ensure the system hasn’t been totally abandoned.
A Recertification Audit is much more rigorous, being almost as intensive as your original Stage 2 audit. During the recert, the auditor will look at the entire scope of your management system to verify that it is still effective and has improved over the last three years, and they will drill into not only your system documents (e.g., policy, objectives, context log) but your day-to-day, nitty-gritty operational records and other supporting, or ‘retained,’ documents.
While the processes post-certification are largely the same, certain areas of your focus change depending on which standard you hold.
For ISO 9001, for example, the auditor will look for evidence that you are actually using Customer Feedback to drive change. If you have 100% positive feedback but no process improvements, they might suspect you aren’t digging deep enough.
For ISO 14001, a post-certification focus for 14001 is your Aspects and Impacts Register. If you’ve introduced a new machine, a new chemical, or even a new waste stream, the auditor will expect to see that your register has been updated to reflect these changes. This is something we discussed recently in a separate article, where organizational growth can increase your environmental impact, posing the risk that the organization ‘sleepwalks’ into environmental nonconformance (e.g., going above the discharge threshold outlined by a permit).
And for ISO 45001, worker participation is key. A common nonconformity after 45001 certification is a drop in Consultation and Participation. Auditors will interview non-managerial staff during surveillance visits. They want to hear from the people on the shop floor or in the field, asking: “Were you involved in the latest risk assessment?” or “How do you report a near-miss?”
How to be Audit-Ready
It’s common that we see clients attempting to get their ISO management system compliant within the final month – or sometimes the final week – before an external audit. Don’t wait for Audit Week. Instead, keep things maintained bit-by-bit. It may help to spread your internal audits across the year. If you leave the management of your ISO compliance to the last week before the external auditor arrives, it will show… and you’ll have a whopping headache.
Also, don’t feel you need to cover up nonconformities picked up throughout the year. Auditors actually like seeing that you’ve found and fixed your own mistakes. It proves the system works.
Watch the 2026 Revisions: Both ISO 9001 and ISO 14001 are currently undergoing revisions (expected in late 2025/2026). Keep an eye on “Climate Action” amendments, which are now being integrated into all management system standards.
You’ve done the hard work getting yourself certified. Make it count by keeping yourself maintained.
We have helped organizations of all types, sizes and ambitions with ISO compliance – we can help you, too. Click the button below for an instant quotation. Alternatively, you can get in touch with us by using our contact form.