ISO certification is a milestone — not a conclusion. The work that follows is more demanding than the work that preceded it.
The moment an ISO 37001 or ISO 37301 certificate is issued is a meaningful moment. The gap analysis has been completed, the management system has been built, the internal audits have been conducted, the management reviews have been held, and an independent third-party auditor has verified that what has been built meets the standard's requirements. The organisation has earned the right to make a claim that very few organisations in its market can make.
And then the surveillance cycle begins.
ISO management system certificates are not permanent. They are valid for three years, subject to annual surveillance audits in which the certification body verifies that the management system continues to conform to the standard's requirements and that the organisation is making progress on any findings from the previous audit. At the end of the three-year cycle, a recertification audit — effectively a repeat of the original stage two audit — is required to renew the certificate.
The organisations that experience the greatest difficulty with the surveillance and recertification cycle are the ones that treated certification as a destination — that made the investments necessary to achieve the certificate and then allowed the management system to drift back toward its pre-certification state. The auditor who returns for the first surveillance audit a year after certification and finds that the management review has not been conducted, the internal audit has not been completed, and the risk assessment has not been updated is not merely noting administrative lapses. They are documenting the decay of the management system that the certificate represents.
The four processes that keep a certified management system alive.
The management review is the highest-level governance mechanism of the management system — the process by which top management evaluates the system's performance, assesses its continued suitability and effectiveness, and makes decisions about changes needed. ISO 37001 and ISO 37301 both require management reviews at planned intervals, with specific inputs and outputs that must be documented. The management review is not a compliance update to the executive team. It is a formal, structured evaluation of the management system's performance against defined criteria, with documented outcomes and action assignments.
The internal audit programme is the mechanism through which the organisation independently verifies that its management system is functioning as designed — that the processes that exist on paper are the processes that operate in practice. Internal audits must be planned, must cover the full scope of the management system over an appropriate cycle, must be conducted by persons independent of the activities being audited, and must produce documented findings that are tracked through to resolution. A management system that has not been internally audited since the last surveillance audit has not been maintained — it has been left to run without verification.
Corrective action management is the process by which nonconformities — gaps between what the management system requires and what it delivers — are identified, analysed for root cause, addressed through specific actions, and verified to have been resolved. Every surveillance audit will produce findings. The organisation that manages those findings rigorously — that treats each one as an opportunity to understand why the system fell short and to build something more robust — is the organisation whose management system genuinely improves over time. The one that closes findings administratively, without addressing root cause, is the one whose findings recur.
Continuous improvement is the overarching obligation that the standards impose on certified organisations — and the one that is most frequently understood narrowly. Improvement is not limited to addressing audit findings. It includes acting on the results of the management review, on the output of the internal audit programme, on the findings of the compliance monitoring process, on the analysis of incidents and near-misses, on changes in the external risk environment, and on the periodic reassessment of whether the management system's design remains adequate for the risks it is designed to manage.
The practical test of whether a certified management system is being maintained — rather than merely preserved — is whether anything has changed in it since the last audit. Not everything needs to change: a stable risk environment may not require fundamental redesign. But a management system that looks identical to what the auditor saw twelve months ago, in an organisation and a market that have not stood still, has probably not been actively managed. The surveillance auditor will be asking implicitly: what has this organisation learned about its compliance programme in the past year, and what has it done about it?
The longer you hold it, the more it means.
The value of ISO 37001 or ISO 37301 certification is not static. An organisation that has held its certification for five years, through multiple surveillance and recertification cycles, has demonstrated something qualitatively different from an organisation that certified last year. It has demonstrated sustained commitment — that the investment in the management system was not a one-time commercial decision but an ongoing operational discipline that has survived changes in personnel, in leadership, in market conditions, and in the audit team's scrutiny.
In procurement decisions, in regulatory assessments, in client due diligence processes, and in the conversations that organisations have with their most sophisticated stakeholders about their compliance programmes, sustained certification carries weight that initial certification cannot. The organisation that can point to a five-year certification history is making a different claim from the one that is presenting its first certificate — and the difference is visible to anyone who understands what maintaining a certified management system actually requires.
For an advisory firm like Compliance House — which holds both ISO 37001 and ISO 37301 certifications and holds itself to the same standards it asks of its clients — the maintenance of those certifications is not primarily a commercial decision. It is the most concrete expression available of a philosophy: that compliance is a living practice, that the programme that was built yesterday must be challenged and improved today, and that the only compliance commitment worth making is one that can be verified by someone other than the organisation making it.
This article reflects the compliance advisory perspective of Compliance House and is intended for informational purposes. It does not constitute legal advice. ISO standards are subject to periodic revision. Organisations seeking certification guidance should consult a qualified ISO management system specialist and their chosen certification body.
Télécharger cet article
Enregistrez une copie PDF pour la lecture hors ligne ou partagez-la avec un collègue qui pourrait la trouver utile.