The Problem Nobody Warns You About Before Certification

You completed the gap analysis. You wrote the policies. You collected the evidence and passed the audit. The ISO 27001 certificate or PCI-DSS Level 2 attestation is framed on the wall.

Then everyone went back to their normal jobs.

A year later, with the surveillance audit approaching, the team realizes: nobody has been collecting evidence consistently. Several policy review deadlines passed quietly. Vendor assessments have expired. Evidence is scattered across Google Drive folders, email threads, and Excel files, some created by people who have since left the company.

This is not an edge case. It's the most common pattern after a first certification achieved through traditional consulting.


Why the Certification Sprint Doesn't Prepare You for Ongoing Operations

Consultants are scoped to the audit, not the year that follows

A compliance consultant's job is to get you through the audit. They build the document set, help your team implement controls, and guide you to a passing result.

After the engagement ends, you own everything. Without a dedicated tool in place, operations default back to spreadsheets and email.

Certifications are point-in-time; audits require continuous evidence

The ISO 27001 surveillance audit, which happens annually after initial certification, doesn't just ask "are you compliant?" It asks "have you been compliant consistently for the past 12 months?"

PCI-DSS QSA reviews are the same. Auditors want to see continuous evidence across the full year, not a snapshot from the week before the audit.

If evidence hasn't been collected systematically since the last audit, you won't have enough to show.

Compliance is usually a part-time responsibility

At most companies, including many that have achieved ISO 27001 or PCI-DSS, there's no dedicated CISO or compliance officer. It's typically a CTO, senior engineer, or IT manager who owns compliance alongside their primary role.

Without tools that automate the routine work, compliance operations get deprioritized until an audit is imminent.


The Most Common Pain Points in Compliance Maintenance

Evidence is everywhere except where you need it

Compliance evidence doesn't naturally consolidate itself. It lives in:

  • AWS CloudTrail logs in an S3 bucket nobody checks regularly
  • Access review confirmations buried in a manager's inbox
  • Vulnerability scan reports in the security engineer's folder
  • Vendor contracts in the legal team's Drive
  • Training completion records in the HR system

When an auditor asks for twelve months of user access reviews, you're hunting across all of those places.

Real cost: Most teams spend two to four weeks preparing for each surveillance audit. This is work that can be almost entirely eliminated.

Policy review deadlines get missed

ISO 27001 requires periodic review and update of all ISMS policies. In practice:

  • Nobody tracks which policy is due for review when
  • Policy ownership changes as people change roles, but the records don't always follow
  • Reviews happen in a rush the week before the audit, not on the actual schedule

A policy reviewed three months late isn't necessarily a major risk, but it's a finding in a surveillance audit. Accumulated findings can threaten certification renewal.

No shared view of overall compliance status

The simple question "where are we with ISO 27001 right now?" often doesn't have a quick answer without a platform.

  • Security owns the technical controls
  • HR owns training records
  • Legal owns vendor contracts
  • IT owns system configurations

Nobody has a consolidated view. Gaps surface when the auditor asks.

Two frameworks, twice the work

If you hold both ISO 27001 and PCI-DSS, there's significant overlap between the two control sets, but they're not identical. Without a mapping in place:

  • Evidence collection gets done twice for overlapping requirements
  • The same systems get audited against two separate requirement sets
  • Audit prep doubles in effort each cycle

What Sustainable Compliance Operations Actually Look Like

Automated evidence collection, not manual screenshots

Connect your systems once. Evidence pulls in automatically:

  • AWS CloudTrail → access logs and config changes collected daily
  • GitHub → code review records, branch protection status
  • Okta / Google Workspace → user provisioning, MFA status, access reviews
  • Jira / Linear → change management records

When an auditor asks for evidence from March through September, you filter and export, no hunting required.

Automated reminders for policy reviews and task deadlines

Every policy should have a designated owner, a review frequency, and automated reminders before the deadline, 14 days out, 7 days out, on the day.

When the policy owner gets a reminder, they review and acknowledge in the platform. That interaction creates an audit trail automatically.

Centralized evidence repository

All evidence in one searchable place, organized by control and framework. When an auditor needs evidence for ISO 27001 A.9.2 (User Access Management), you navigate to that control and see everything collected against it over the past twelve months.

Control mapping for multiple frameworks

If you have both ISO 27001 and PCI-DSS, controls overlap significantly. Map them once, collect evidence once, and satisfy both frameworks from the same pool.

Access review evidence for ISO 27001 A.9.2.5 can simultaneously satisfy PCI-DSS Requirement 7.2. One collection effort, two frameworks covered.

Auditor portal instead of document packages

Share read-only access to a compliance portal instead of sending a massive Drive folder. Auditors navigate directly to the evidence they need. Your team doesn't spend days acting as a document delivery service.


Side-by-Side: Compliance Operations With vs. Without a Platform

Without a platformWith a platform
Evidence collectionManual scramble before each auditAutomated daily collection
Policy reviewsDeadlines missed silentlyAutomated reminders to owners
Audit prep time2-4 weeks of hunting2-3 days of review
Compliance visibilityUnknown until the auditor asksLive dashboard at all times
Multiple frameworksDuplicate work each cycleMap once, satisfy all
Sharing with auditorsZip file or Drive folderRead-only auditor portal

When to Move Off Spreadsheets

Not every organization needs a dedicated platform from day one. But if you recognize any of the following, it's time to reconsider your tooling:

  • A surveillance audit is approaching and your team is scrambling to collect evidence
  • You can't quickly answer "what is our current compliance posture?" without spending days checking
  • Policy review deadlines have passed without anyone noticing
  • Compliance evidence is scattered and the people who knew where it was have left
  • You need to add a second framework, for example, you have ISO 27001 and need SOC 2, and don't want to start from scratch
  • You're spending meaningful time each week managing compliance manually instead of working on actual security improvements

This is especially true if you're operating both ISO 27001 and PCI-DSS: two frameworks with separate audit cycles but overlapping controls. A platform removes the duplicate work between the annual ISO surveillance and the PCI QSA review.


A Concrete Scenario: ISO 27001 + PCI-DSS Level 2

Consider a fintech or payment-adjacent company holding both certifications. A typical audit calendar might look like:

  • March: PCI-DSS QSA review
  • September: ISO 27001 surveillance audit

Without a platform, this is two separate scramble periods, each requiring three to four weeks of preparation.

With a platform, evidence is collected daily throughout the year. Both audits pull from the same centralized repository. Audit prep time drops from weeks to days, and the team spends that time reviewing rather than hunting.


Maintaining a security certification shouldn't be a yearly crisis. If every audit cycle feels like starting from zero, the problem usually isn't team effort, it's the absence of systems that keep evidence organized and deadlines tracked throughout the year.

Learn how pTrackly supports certified teams through ongoing compliance operations, not just initial certification sprints.

Tags:
compliance maintenanceISO 27001 surveillancePCI-DSS operationscompliance operationsaudit readiness