Being awarded ISO 27001 certification is not the end of the process. ISO 27001 requires a commitment to continual improvement and maintenance of the effectiveness of your information security management system.
Your certification body will develop a programme of audits over three years. The frequency of these audits depends on the size of your organisation and what risks you face. Most small businesses have an annual visit. If there are no significant findings, you retain your certificate.
After three years a review is held and, if you have no major non-conformances, a new three-year certificate is awarded.