Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

How to Successfully Maintain your ISO Certification

Good news! You’ve achieved certification to an ISO standard, whether it’s for quality, information security, environmental management or perhaps another standard. It’s taken a while and it’s been hard work, but now it’s all over. Or is it?

After the initial excitement has faded, chances are you’ll be surprised at how quickly the first surveillance audit comes around. Will it be a case of having to create lots of missing information in a panic the day before, or will it be a shrug of the shoulders and a cool “let them come”? The choice is yours.

Here we take a look at five main principles of maintaining your ISO management system so that you remain audit-ready at all times.

Graohic show ISO certification with certification and ISO symbol

Principle 1 – Streamline

If you’ve just achieved certification, chances are that your ISO management system is relatively new. As such, it’s likely to be a little rough around the edges, due partly to the need to put so many processes, procedures, reviews etc. in place in a short space of time, and partly due to the fact that ISO management systems are new to you, and your understanding of how they work is still developing.

Because of this, there is probably scope for streamlining your management system, including doing the following:

  • Making processes and procedures more efficient; removing unneeded steps and stopping collecting information that’s not used or isn’t helpful.
  • Merging documentation together, to create a more focused set that is appropriate to the various audiences involved.
  • Reviewing your objectives and monitoring activities – does each metric carry its weight in terms of helping the management system achieve its goal? Could a smaller set of metrics do the job just as well but take less time to collect?
  • Going through your risk assessment to pull out those that are duplicates, or are so unlikely as to not deserve your attention.
  • Pushing some tasks that are still being done by a central ISO management system function out into the business where they belong; for example, are you still delivering awareness training, and could it not be done by HR with the appropriate coaching?

Principle 2 – Automate

Once you’ve removed those parts of your management system that aren’t needed, it’s time to look at how you can automate as many of the remaining aspects of it as possible. There are lots of tools available today that can perform tasks that were previously manual (for example sending emails), and in so doing improve not only the timeliness but also the accuracy of them. Look at each of your processes and procedures and ask yourself whether they can be fully or partially automated, perhaps using systems and cloud tools that you already use for other things. For example, can your document management review process be entered into a system that tracks versions and flags when a document is scheduled for review?

It’s not just systems that can be used to automate aspects of your management system; some could be candidates for outsourcing where you pay a third party for a service that saves you time and adds more knowledge to your management system. This could be relevant to keeping up to date with legal changes or keeping on top of your internal audits.

Principle 3 - Schedule

For those aspects that you can’t streamline or automate, the next option is to schedule them so that they don’t get forgotten. This could involve putting dates in calendars for infrequent tasks such as annual management reviews, risk assessments and the internal audit programme. For more frequent tasks, a structure of regular meetings (with minutes of course) with set agendas may be helpful to ensure that you keep on top of things. Once your week, month, quarter and year is planned out, it becomes a case of following the schedule, rather than worrying about remembering what needs to be done.

Principle 4 - Adopt the Culture

One of the key ideas of an ISO management system is that it should be embedded within your organization, so that it’s not a separate entity, but “the way we do things here”. This partly comes down to awareness training for pretty much everyone, supplemented by more detailed training for people involved in specific processes or procedures.

This comes to the fore when changes happen such as moves or reorganisations; either the management system parts are retrofitted after the event (not good) or they happen naturally with everything else in the project (much better).

Principle 5 - Think Evidence

If you want to ace your surveillance audits every time, then you must have something to show the auditor. This is another area where it pays to be proactive because if you did something six months ago, your chances of recreating evidence of it are slim. Get into the habit of keeping records at the time and encourage everyone else to do the same.

Last Words

Surveillance audits shouldn’t be stressful; they should be a welcome check that you haven’t missed anything and a boost to improving your management system still further. If you’re finding your heart rate is increasing weeks before the audit date, then try some of these tips to smooth the journey and keep everything on track to maintain your ISO certification.


Written by Ken Holmes, CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).

How can CertiKit help you Maintain your ISO Certification?

CertiKit’s ISO Toolkits and ISO Services are available help you first certify to your chosen standard(s), and then maintain your ISO certification long term. The toolkits comes with a perpetual licence with ongoing updates and support, so you’ve got help whenever you need it.

Click the links to find out more the ISO Toolkits and ISO Services.

We’ve helped more than 4000 businesses with their compliance


I like the fact that the documents are very comprehensive and more than sufficient for compliance.

South Africa

View all Testimonials