An ISO 27001 certificate is generally valid for three years, but requires annual surveillance audits to ensure ongoing compliance.