The certification cycle under ISO 27001 spans three years. In the first year, the certification audit (Stage 1 + Stage 2) takes place. In the following two years, the certification body conducts surveillance audits to verify continued ISMS operation. After three years, a re-certification audit is due. In your ISMS, you plan this cycle in advance so that resources and internal audits are prepared on time. The certification cycle provides a reliable rhythm for continuous improvement.