The correct answer is during the first and second years of certification, making option B correct. According to ISO/IEC 17021-1, ISO/IEC 27006, and standard certification cycle rules, ISO/IEC 27001 certification follows a three-year certification cycle. After the initial certification audit, the organization is subject to periodic surveillance audits to ensure continued conformity of the ISMS.
Surveillance audits are typically conducted annually during the first and second years following certification. Their purpose is to verify that the ISMS remains effective, that corrective actions are maintained, and that the organization continues to comply with ISO/IEC 27001 requirements. These audits are less extensive than the initial certification audit but still cover critical ISMS elements, changes, incidents, and improvement activities.
Option A is incorrect because surveillance audits are mandatory and scheduled by the certification body, not optional or request-based. Option C is incorrect because five years exceeds the standard certification cycle. Instead, a recertification audit is conducted in the third year, not a surveillance audit.
Therefore, surveillance audits are normally conducted during the first and second years after certification, confirming option B as correct.
Submit