<!-- Source: screenata.com -->
<!-- Content type: Compliance evidence automation -->
<!-- Frameworks: SOC 2, ISO 27001, HIPAA, CMMC -->

---
title: "How to Automate ISO 27001 Surveillance Audit Evidence: Complete Checklist"
summary: "ISO 27001 surveillance audits require evidence that your ISMS and Annex A controls operated continuously over the past year. This checklist explains exactly what documentation auditors expect and how to automate ISO 27001 evidence collection to avoid the pre-audit scramble."
publishedAt: "2026-04-24"
author: "Screenata Team"
image: "/static/how-to-automate-iso-27001-surveillance-audit-evidence-complete-checklist.jpg"
tags: ["ISO 27001", "Surveillance Audit", "Compliance Automation", "ISMS", "Annex A Controls"]
category: "Compliance"
featured: false
structuredData:
  "@context": "https://schema.org"
  "@type": "FAQPage"
  mainEntity:
    - "@type": "Question"
      name: "What does an ISO 27001 surveillance audit check?"
      acceptedAnswer:
        "@type": "Answer"
        text: "An ISO 27001 surveillance audit checks that your Information Security Management System (ISMS) is still operating effectively after your initial certification. Auditors review mandatory management clauses (like internal audits and management reviews) and a sample of your Annex A controls."
    - "@type": "Question"
      name: "What evidence is required for an ISO 27001 surveillance audit?"
      acceptedAnswer:
        "@type": "Answer"
        text: "Auditors require evidence of continuous operation, including management review minutes, internal audit reports, corrective action logs, risk assessment updates, and implementation evidence (like screenshots and system logs) for sampled Annex A controls."
---

# How to Automate ISO 27001 Surveillance Audit Evidence: Complete Checklist

Maintaining an ISO 27001 certification requires passing annual surveillance audits. These checkups demand concrete evidence that your ISMS is operating correctly and that your Annex A controls remain effective. The problem is that most teams stop collecting screenshots and documentation the day they get their initial certification. When the surveillance audit arrives a year later, they face a massive manual scramble to prove they followed their own policies. 

Automating ISO 27001 evidence collection solves this. By continuously capturing control data throughout the year, automation ensures your documentation is always audit-ready. This guide covers exactly what auditors look for during a surveillance audit and how to automate the collection process.

## What Does an ISO 27001 Surveillance Audit Actually Check?

A surveillance audit is not a full re-certification. It is a sampling exercise designed to confirm that your Information Security Management System (ISMS) is actively maintained and improving. 

Auditors focus on two main areas during a surveillance audit. First, they review the mandatory ISMS management clauses to ensure the governance structure is functioning. Second, they select a subset of the Annex A controls from your Statement of Applicability (SoA) to verify technical and operational compliance. 

If you passed your initial Stage 2 audit, the auditor already agreed that your ISMS design is acceptable. The surveillance audit is purely about proving continuous operation.

### Year 1 vs. Year 2 Surveillance Audits

Your certification cycle lasts three years. After the initial certification audit, you will undergo two surveillance audits before a full recertification in Year 3.

| Audit Type | Focus Area | Evidence Expectation |
| :--- | :--- | :--- |
| **Year 1 Surveillance** | Core ISMS clauses + roughly 30-40% of Annex A controls. | Proof that the ISMS did not stagnate after the initial certification push. Heavy focus on corrective actions from the Stage 2 audit. |
| **Year 2 Surveillance** | Core ISMS clauses + a different 30-40% of Annex A controls. | Proof of continual improvement. Focus shifts to controls not tested in Year 1, plus any areas where the business has significantly changed. |

## The ISO 27001 Surveillance Audit Evidence Checklist

To pass a surveillance audit, you need to provide documentation covering the mandatory management clauses and the specific Annex A controls the auditor selects for testing.

### 1. Mandatory ISMS Evidence (Required Every Year)

Auditors will check these items every single time they visit. If you are missing these, you will likely receive a major nonconformity.

*   **Internal Audit Report (Clause 9.2):** Evidence that you conducted an internal audit of your ISMS prior to the surveillance audit. This must include the audit schedule, the findings, and the final report.
*   **Management Review Minutes (Clause 9.3):** Documentation proving that executive leadership reviewed the ISMS. The minutes must explicitly cover the required inputs and outputs listed in the ISO 27001 standard, such as feedback from interested parties and changes in external issues.
*   **Nonconformity and Corrective Action Logs (Clause 10.1):** A tracker showing how you handled security incidents, audit findings, and policy breaches over the past year. Auditors want to see that you identified root causes and implemented fixes.
*   **Risk Assessment Updates (Clause 8.2):** Evidence that you reviewed and updated your risk register. If your company launched a new product or changed cloud providers, those risks need to be documented here.
*   **Information Security Objectives (Clause 6.2):** Data showing your progress toward the security goals you set for the year.

### 2. Annex A Control Evidence (Sampled)

The auditor will select a sample of controls from your SoA to test. While the exact selection varies, certain high-risk controls are almost always reviewed.

*   **Access Control (A.5.15):** Auditors expect screenshots of periodic user access reviews. They will pick a sample of recent new hires and terminations to verify that access was granted and revoked according to policy.
*   **Configuration Management (A.8.9):** Documentation showing how you manage and track changes to your IT infrastructure and applications.
*   **Change Management (A.8.32):** Evidence correlating code deployments to approved tickets. You need to show that changes were tested and authorized before hitting production.
*   **Supplier Relationships (A.5.22):** Vendor security reviews for any new critical suppliers onboarded since the last audit.
*   **Information Security Incident Management (A.5.24):** If you had a security incident, you need the post-mortem report. If you did not have an incident, you need evidence that you tested your incident response plan.

## What ISO 27001 Evidence Cannot Be Automated with GRC Tools

Many teams purchase a GRC platform expecting it to handle the entire surveillance audit. They quickly discover a gap between what the tool monitors and what the auditor requests.

GRC tools are built on API integrations. They are highly effective at checking cloud infrastructure configurations. They can verify that your AWS S3 buckets are encrypted, that your endpoints have an MDM agent installed, and that your GitHub repositories require pull request reviews.

But ISO 27001 is a process-heavy standard. APIs cannot capture application-level UI visibility or manual process documentation. 

When the auditor asks for proof that you conducted a quarterly access review for your proprietary internal admin panel, a GRC tool cannot help you. When the auditor wants to see the specific error message a user gets when they fail MFA on a legacy system, an API check is useless. GRC platforms track the status of your policies, but they leave the manual evidence collection for application-level controls entirely up to you.

This is why teams using traditional compliance software still spend weeks taking screenshots before a surveillance audit.

## Automating Continuous Evidence Collection

The most effective way to prepare for a surveillance audit is to eliminate the concept of "audit prep" entirely. Instead of treating evidence collection as an annual project, you can automate it to run continuously.

Screenata approaches this by acting as an automated compliance practitioner. Instead of just pinging APIs, it captures the actual visual evidence auditors expect. During normal operations, it records workflows, captures screenshots of access panels, and formats the data into PDF evidence packs mapped directly to your ISO 27001 Annex A controls.

If your policy requires a quarterly access review, the system automatically captures the state of your user directories and formats the review documentation. When the surveillance audit arrives, you don't have to spend a week hunting down logs from ten months ago. The evidence was collected, timestamped, and filed at the exact moment the control operated.

Surveillance audits exist to prove that your security practices are a permanent part of your operations. Automating the evidence collection process proves exactly that, turning a stressful annual scramble into a routine data export.

## Learn More About ISO 27001 Certification Evidence Automation

For a complete look at moving from manual screenshots to continuous compliance, see our guide on [how to automate ISO 27001 evidence collection](/resources/blog/how-to-automate-iso-27001-evidence-collection-in-2026), including how to map Annex A controls to automated workflows.
```

For more on this topic, see [How to Automate ISO 27001 A.5 Organizational Controls Evidence with Screenshots](/resources/blog/how-to-automate-iso-27001-a5-organizational-controls-evidence-with-screenshots).

For more on this topic, see [How to Automate ISO 27001 Annex A.8 Evidence Collection with Screenshots](/resources/blog/how-to-automate-iso-27001-annex-a8-evidence-collection-with-screenshots).