The certification journey does not end when the Conformity Assessment Body (CAB) certifies a product, service, or process. There is an associated lifecycle to the certificates issued by a CAB.

Typically, certificates are not issued with unlimited validity period. They have an expiration date, which varies from scheme to scheme, although, typical validity periods are between two to five years. Otherwise, there would not be any way for a certificate user to estimate if a certified product is still usable in a secure way. Indeed, both the environment of use and attacker techniques may evolve over time, potentially making a certified item unsuitable for use. 

CABs usually provide mechanisms to product vendors and service providers typically to renew the validity of a certificate if they wish to do so. This process typically involves in performing a reassessment of the product, service, or process to ensure that the environment of use is still applicable, and that novel attack techniques and know-how do not jeopardise the cybersecurity properties of the certified items. Changes in scope and cybersecurity functions provided by the item usually do not qualify for a renewal process but require a new full certification. Renewal processes typically require less effort as the original testing, auditing and assessment can be reused.

CABs hold the right to withdraw certificates, permanently or temporarily, in cases where a product, may be found to be exploitable within their cybersecurity assurance level.