Most organisations treat first-time ISO 27001 certification as the destination. A programme is scoped, a project team is assembled, controls are built, evidence is gathered, and the auditor signs off. Champagne, if you're the sort of organisation that does that. Then the project team disbands, the calendar moves on, and the ISMS is left to run itself.
Recertification is where that assumption gets tested. The standard hasn't changed. What's changed is whether the governance became embedded in how the business runs, or whether it was just documented well enough to pass an audit once.
The most common cause of a difficult recertification isn't a missing control. It's evidence drift: the policy says one thing, and twelve months of normal business pressure has quietly moved actual practice somewhere else. Nobody decided to deviate from the documented process. It just happened, in small increments, because the documented process wasn't the path of least resistance for the people actually doing the work. By the time the auditor asks to see evidence, the gap between what's written and what's true has become the finding.
Ownership gaps compound this. Every control in an ISMS has a named owner at certification. A year is a long time in most organisations, and people change roles, leave, get promoted into functions that no longer touch the control they used to own. If the RACI isn't actively maintained, "who owns this?" becomes a question that takes several internal emails to answer, and an auditor watching that scramble draws an obvious conclusion about how live the system really is.
The deeper issue is structural: initial certification is usually run as a project, with a start date, an end date, and a team assembled specifically to hit it. That's a reasonable way to get from zero to a certified state. It's the wrong operating model for what comes after. An ISMS that only gets attention when a surveillance audit is approaching isn't a management system, it's a compliance exercise with a calendar reminder.
What tends to work is deciding, before certification is even granted, what the ongoing rhythm looks like: who reviews which controls and how often, how internal audit findings get triaged and closed, and how the RACI gets updated as people move. None of this is expensive or complicated. It's mostly a discipline problem, not a resourcing problem, and it's far cheaper to build the rhythm in year one than to reconstruct it under pressure in the weeks before a recertification audit.
Recertification, in other words, isn't really a test of the standard. It's a test of whether anyone kept driving after the initial project ended.