ISO 27001 isn't a project. It's an operating posture.

Most certifications quietly decay between audits. We share the controls that survive contact with reality and the ones that don't — and what actually maintaining ISO 27001 requires.

ISO 27001 compliance and information security operations

We have been engaged on three ISO 27001 implementations in the last 18 months at East African firms that were already certified. In each case, the gap between the ISMS on paper and the ISMS in practice was significant enough that the certification was providing false assurance rather than genuine security improvement.

This is not a criticism of the certification itself — ISO 27001 is a rigorous and well-structured standard. It is a description of what happens when organisations treat certification as a destination rather than a discipline. You pass the audit, you frame the certificate, and you stop. Twelve months later, the controls have drifted. Eighteen months later, the gaps are material. The audit will find some of this — but not all of it, and not in time.

The decay pattern

ISO 27001 decay follows a recognisable pattern. The controls that survive best between audits are the ones with hard technical enforcement: firewall rule reviews (because the firewall exists and logs), patch management (because unpatched systems cause incidents that are hard to ignore), and access provisioning for new starters (because HR has a process and IT is in the loop).

The controls that decay fastest are the ones that depend on human discipline without a technical backstop: asset register maintenance (nobody updates it when someone buys a new laptop), supplier security reviews (scheduled annually, consistently de-prioritised), and access deprovisioningfor leavers (which requires coordination between HR, IT, and line managers that breaks down within months of go-live).

The third category — risk treatment plan maintenance — decays in a different way. The plan exists, it is updated for the audit, and then it sits unchanged for the next 11 months. By the time the next audit arrives, the residual risk ratings are stale, two new risks (a new cloud provider, a new product line) have not been assessed, and the treatment plan reflects last year's threat landscape, not this year's.

3
Control categories that decay fastest
12mo
Typical time before material gaps emerge
1
Named owner required per control to prevent decay

The controls that hold

Across the implementations and reviews we have run, five control areas consistently maintain their effectiveness between audits when they are properly structured from the start.

  • Patch management with automated enforcement. When patching is a scheduled job with a dashboard and an escalation path, it runs. When it depends on someone remembering, it doesn't.
  • Privileged access review with a named owner. Quarterly access reviews work when a specific person is accountable for running them and their completion is tracked. They fail when they're everyone's responsibility and therefore no one's.
  • Incident logging with a low reporting threshold. Organisations that define "incident" narrowly get under-reporting. Define it broadly (including near-misses, phishing attempts that didn't succeed, and customer data questions that required a policy check) and you get a rich dataset that actually informs the risk register.
  • Security awareness training with completion tracking. Annual training with a completion dashboard and a manager escalation path for non-completers has a very different outcome than annual training sent by email with no follow-up.
  • Supplier security questionnaires on contract renewal. Tying the supplier review to contract renewal, rather than a calendar date, means it actually happens — because procurement is already in the room.
On the ISMS manager role

ISO 27001 requires a management representative for the ISMS. In practice, this role is often given to someone who already has a full-time job and treats ISMS maintenance as a quarterly task before audit season. An ISMS that is genuinely maintained requires someone for whom it is a primary, not secondary, responsibility — or a structured external support arrangement that fills the gap.

Surveillance audits are not the safety net you think they are

A common assumption is that the annual surveillance audit will catch significant decay. This is only partly true. Auditors sample — they cannot review every control instance. A well-prepared organisation can pass a surveillance audit with material gaps in its day-to-day practice. The surveillance audit is a necessary check, but it is not a substitute for internal monitoring.

The organisations that maintain genuine ISMS effectiveness run quarterly internal reviews of control performance — not to prepare for audits, but to catch drift before it becomes a gap. These reviews are short (two hours, not two days), structured around the controls with the highest decay risk, and produce a short action list with named owners and deadlines. The audit then becomes a confirmation of what you already know, not a discovery exercise.

When to recertify vs. reset

One question we're asked increasingly is whether a certification that has drifted significantly should be recertified (going through the full audit process fresh) or reset (doing the internal remediation work before the next surveillance). The answer depends on how material the drift is and how long until the next audit.

If the gap between the certified ISMS and the actual ISMS is large enough that you would not be comfortable disclosing it to a customer who is relying on your certification — which is a test we recommend applying explicitly — then the honest answer is a reset. Fix the gaps, document what happened, and go into the next audit with an accurate picture. Auditors can tell the difference between a well-maintained ISMS that has had some issues and a poorly-maintained ISMS that has been polished for the audit. The former is recoverable; the latter tends to produce conditions on certification or, in some cases, a failed audit.

Drawn from ISO 27001 implementation, surveillance support, and gap assessment work across Kenya, Uganda, and Tanzania, 2022–2026.

Read next

More from our team

ISO 27001 certified but not confident?

We run ISMS gap assessments and maintenance programmes — structured to keep your certification genuine between audits, not just during them.