All guides
Certifications

How to Track ISO 9001 and ISO 27001 Certification Expiry [2026]

ISO 9001 and ISO 27001 run on strict 3-year cycles with annual surveillance audits. Here's how to track every deadline so your certification never lapses.

Lapsewise TeamJuly 1, 202611 min read
How to Track ISO 9001 and ISO 27001 Certification Expiry [2026]

If you hold ISO 9001 (quality management) or ISO 27001 (information security), you already know what it cost to get certified. According to JumpCloud, initial ISO 9001 certification runs $5,000–$25,000 all-in once you factor in consultant fees, internal time, and audit costs, with annual surveillance audits adding $1,000–$3,000 every year after that (source).

Letting one lapse is not a minor admin slip. It means restarting the full certification cycle, removing the badge from your website and bid documents, and explaining to customers why you're no longer certified.

This guide shows you which dates to track, how to build a free system that catches every deadline, and where a dedicated tracker fills the gaps a spreadsheet can't.

How ISO management system certifications actually work

Most certificate tracking guides treat every cert the same way: one expiry date, one reminder. ISO management system certs are different.

ISO 9001 and ISO 27001 both run on a 3-year certification cycle:

  • Year 0 - Initial certification audit. You pass, you get certified. The clock starts.
  • Year 1 - Surveillance audit 1. A shorter audit confirming your system is still compliant.
  • Year 2 - Surveillance audit 2. Same check, one year later.
  • Year 3 - Recertification audit. Full audit again. Pass and the 3-year clock resets. Fail or skip, and your certification lapses.

The surveillance audits are not optional extras. Missing one can result in suspension or withdrawal of your certificate, even if the 3-year expiry date on the document hasn't arrived yet.

So there isn't just one date to track. There are at minimum four: the surveillance-1 window, the surveillance-2 window, the recertification date, and the "book by" date for each audit. That last one is the one most trackers don't capture.

Quick tip Your ISO certificate has a printed expiry date, but the real risk is a missed surveillance audit. Many businesses have found their cert suspended months before the formal expiry date because they skipped year-1 or year-2 surveillance. That's the date to watch first.

The free method: build a working tracker in a spreadsheet

You don't need software to do this properly. Here's a concrete setup.

Step 1: List every ISO certification you hold

One row per standard per site. If you have multiple locations, each site gets its own row. Record: the standard (ISO 9001, ISO 27001, ISO 14001, ISO 45001, etc.), the certification body name, and the certificate number.

Step 2: Record all key milestone dates

For each row, add these columns:

  • Issue date - When the current 3-year cycle started.
  • Surveillance 1 due - Typically 9-15 months after the issue date. Check your certification body's schedule for the exact window.
  • Surveillance 1 book-by - 60-90 days before that audit date. This is when you need to contact the body to confirm the slot, not when the audit happens.
  • Surveillance 2 due - Typically 21-27 months after the issue date.
  • Surveillance 2 book-by - Again, 60-90 days before.
  • Recertification due - Issue date plus 3 years.
  • Recertification book-by - At least 90 days before. For larger scopes, 6 months.

Step 3: Set reminders on a shared calendar

Create calendar events for each book-by date and each audit due date. Put them on a shared team calendar, not a personal one. At least two people should see every reminder.

Recommended schedule per milestone:

  • 90 days before: confirm the audit slot is booked
  • 30 days before: internal readiness review
  • 7 days before: document check and final preparation

Step 4: Attach the certificate PDF

Keep the actual certificate file with the record. Auditors, customers, and procurement teams request proof regularly. Hunting through email when someone asks is avoidable with a named file stored somewhere the team can find it.

Step 5: Record your certification body contact

Add a contact column: name, email, and phone number for your account manager at the cert body. When a book-by date arrives, you know exactly who to reach, not just which website to start searching.

Here's what a working spreadsheet layout looks like:

Column Example
Standard ISO 9001:2015
Cert body Bureau Veritas
Cert number UK12345
Issue date 2024-03-15
Surv 1 due 2025-03-15
Surv 1 book-by 2024-12-15
Surv 2 due 2026-03-15
Surv 2 book-by 2025-12-15
Recert due 2027-03-15
Recert book-by 2026-12-15
Owner J. Williams (QM)
Cert body contact sarah@bureauveritas.com

Common mistakes that cause ISO certifications to lapse

Most lapses are predictable. These are the ones that come up repeatedly.

Tracking only the certificate expiry, not the surveillance dates. Your certificate might say "expires 2027" while your surveillance audit is due in three months. Miss the surveillance window and the cert can be suspended before it formally expires. The surveillance calendar matters more than the expiry date in most years.

Booking the auditor too late. Accredited certification bodies have limited auditor capacity. Popular slots in Q4 and Q1 fill early. A 60-90 day booking window is the minimum for most bodies - less than that and you risk a date that doesn't fit your internal schedule, which pushes the audit even later.

Single-owner dependency. The quality manager carries all the dates in their head, or in their own calendar. When they leave or take extended leave, the visibility disappears. It's a fragile arrangement even when it works for years without incident.

Assuming the cert body will chase you. Some send reminders. Many don't, or the reminder goes to an email address that's changed since the last audit cycle. Don't build your compliance on an email you might never receive.

Holding multiple standards with offset cycles. Many organisations hold ISO 9001 as a base and add ISO 14001 or ISO 45001 later. Each runs its own 3-year cycle, often starting at different times. Combined audit programmes help but the dates can still be offset by months. A single tracker with one row per standard keeps it clear.

The catch A shared spreadsheet never sends anyone an email. The reminders you add to your personal calendar today will still be on that personal calendar when you leave. Both are real single-owner risks that look fine until the day they're not.

Track your ISO certifications in Lapsewise. Free to start, no card. Add the cert once, set the surveillance and recertification dates, and get reminded automatically before each deadline.

Start tracking free

Where a dedicated tracker adds real value

A purpose-built tool handles the things a spreadsheet can't.

Multiple dates per record. You don't have to split surveillance-1, surveillance-2, and recertification across three rows or three tabs. One certification record holds all the dates, each with its own reminder, so the whole picture is always in one place.

Automatic email reminders fire at 8am in the owner's timezone, at the lead time you configure. Both the cert owner and any team members you add get warned - so one person's absence doesn't mean the reminder is missed.

Document storage on the record. The certificate PDF, the last audit report, and the booking confirmation all live with the certification rather than scattered across email threads and shared drives.

A status view that shows every cert as green, amber, or action-needed at a glance. A compliance check takes seconds rather than requiring someone to open, scan, and interpret a spreadsheet.

Shared team visibility without spreadsheet sharing permissions to manage. Anyone who needs to see the status can.

For the broader approach to certificate tracking across your whole compliance stack, how to track certificate expiry dates covers the full method. If you're also tracking contracts, licenses, and insurance alongside your ISO certs, our comparison of spreadsheets vs renewal trackers covers when to make the move. And if you're thinking about this across all the dates your business needs to watch, 9 business dates you should never miss is a useful starting point.

For certificate-specific tracking, see Lapsewise certificate management software.

Frequently asked questions

How long is an ISO 9001 or ISO 27001 certificate valid? The certification cycle is three years. Within that cycle, you must pass annual surveillance audits in years 1 and 2. If a surveillance audit is missed or failed, the certification body can suspend or withdraw the certificate before the 3-year term ends.

What is the difference between a surveillance audit and a recertification audit? A surveillance audit is a shorter check confirming that your management system is still functioning and compliant. A recertification audit is a full review at the end of the 3-year cycle that resets the clock for another three years. Surveillance audits are less intensive but no less mandatory.

How early should I start the recertification process? Contact your certification body at least 3 months before your recertification date to confirm the audit slot. For larger organisations or multi-site scopes, 6 months is safer. Auditor availability and document preparation both take time.

What happens if my ISO certification lapses? You lose the right to claim certification and must remove the badge from marketing materials, bid documents, and supply-chain registries that require it. Customers and procurement platforms that have listed the cert as a requirement may disqualify you. Re-entering the cycle means a new initial certification audit.

Can I track ISO 9001 and ISO 27001 together in one system? Yes, and it's the cleaner approach. Both run on 3-year cycles but often start at different times. A tracker that holds each standard as a separate record with its own surveillance and recertification dates and its own reminder schedule is much cleaner than juggling separate spreadsheet tabs.


The cost of a lapse - initial recertification typically runs $3,000-$7,000 before internal costs, according to Qualio's analysis - plus the commercial impact on bids and contracts, makes tracking worth doing properly. The spreadsheet method above is genuinely enough to start. When the list of standards or sites grows, or when one person carrying all the dates starts to feel like a risk, a tracker removes the manual work and the single-owner dependency at the same time.

Never let it lapse

Track every certificate, contract, grant, and license in one place. Lapsewise warns you before any renewal or expiry slips. Free to start, no card.

Never let it lapse

Track every certificate, contract, grant, and license in one place. Lapsewise warns you before any renewal or expiry slips. Free to start, no card.