How to Maintain ISO 27001 Certification Without a Dedicated Compliance Team
ISO 27001 certification is a three-year commitment with annual surveillance audits in years one and two and a recertification audit in year three. Many organisations achieve initial certification with significant external support and then discover in the months following that maintaining the programme is harder than obtaining it. Without a dedicated compliance person, the programme drifts. Controls that were current at certification become stale. Evidence collection falls behind. By the time the surveillance audit arrives, there is a scramble to reconstruct what should have been maintained continuously.
This is a common situation and it is solvable without a full-time compliance hire. The solution is not to simplify the programme. It is to design the maintenance process so that it distributes the work across the organisation in manageable increments rather than accumulating it into an annual panic.
Assign Ownership, Not Responsibility
The most important structural decision in a maintenance programme without a dedicated team is assigning control ownership to specific individuals rather than to roles or functions. A control owned by "the IT team" will not be maintained. A control owned by a named individual who understands that they are accountable for keeping evidence current will be maintained more reliably. Control ownership should be documented in your Statement of Applicability or control register, and it should be reviewed whenever a relevant staff member changes role or leaves the organisation.
Ownership without understanding does not work. Control owners need to know what they own, what the control requires, what evidence is expected, and how often the evidence needs to be refreshed. A one-page control owner brief that answers those four questions for each control takes time to produce once and reduces the ongoing effort needed to keep each owner engaged. When we help organisations set up maintenance programmes, the control owner brief is the document that has the most practical impact on programme sustainability.
Build a Maintenance Calendar Around Your Audit Cycle
ISO 27001 maintenance activities have natural cadences. Some things need to happen annually: risk assessment review, internal audit, management review, supplier review, user access review, and asset inventory update. Some things happen on a shorter cycle: vulnerability scanning, patch compliance checks, log reviews, and access provisioning and deprovisioning. A maintenance calendar that maps each required activity to a frequency and assigns an owner makes the programme visible and creates accountability without requiring a dedicated compliance function to chase everything.
The calendar should be tied to real organisational events rather than abstract compliance deadlines. If your organisation has a standard performance review cycle, attach the access review to it. If you have a quarterly board meeting, attach the security dashboard report to it. If you have a budget cycle in the second half of the year, schedule the risk assessment review to feed into it. Compliance activities that are integrated into existing organisational rhythms get done. Compliance activities that exist only in a compliance calendar get deprioritised.
Design Evidence Collection to Be Low-Effort
The highest-friction part of maintaining an ISO 27001 programme without dedicated staff is evidence collection. When every piece of evidence requires a manual effort by a busy control owner, the programme will slip. Where possible, evidence collection should be automated or built into existing workflows. If your vulnerability scanner runs weekly and sends a report to an email address, route that report to a shared compliance folder. If your access provisioning system generates a log of changes, set up a monthly export to the evidence library. If your patch management system produces a compliance dashboard, schedule a monthly screenshot to be saved automatically.
Not all evidence can be automated, but the goal is to reduce the manual effort required from control owners to the minimum necessary. For the evidence that must be collected manually, build the collection step into a recurring calendar event for the control owner rather than relying on them to remember. A fifteen-minute monthly calendar block to collect and upload three pieces of evidence is manageable for most people. An ad hoc request for twelve months of evidence two weeks before a surveillance audit is not.
Use Internal Audits Strategically
The internal audit requirement in ISO 27001 is often treated as a compliance checkbox. It should be treated as the programme's quality control mechanism. A well-run internal audit cycle, even without a dedicated compliance team, identifies control gaps before the external auditor does and gives the organisation time to remediate. The internal audit does not have to be conducted by a single person reviewing everything at once. It can be spread across the year as a series of focused reviews, each covering a subset of controls.
If your organisation does not have internal staff with audit capability, the internal audit function can be sourced externally. An external practitioner conducting your internal audit is not a conflict of interest as long as they are not also conducting the external certification audit. Using external support for internal audits is a practical solution for growth-stage organisations and is common in Australian ISO 27001 programmes. The output is a documented internal audit report that demonstrates the programme is being assessed internally, which is what the standard requires. To discuss building an ISO 27001 maintenance programme that fits your organisation's capacity, contact Cyberlinx at info@cyberlinx.com.au.
Related Articles







