Blog · Audit types

Internal audit, gap analysis and certification audit: what is the difference?

A gap analysis measures, in advance, where you stand relative to the standard. An internal audit is a mandatory, periodic self-check of your ISMS. A certification audit is carried out by an accredited body and leads to the certificate. In short: the gap analysis plans, the internal audit rehearses and assures, and the certification audit decides.

Ask for advice on the right type of audit

Gap analysis: where do I stand now?

A gap analysis compares your current situation with the standard and produces a priority list and a roadmap. Ideal as a starting point, before you embark on an implementation project.

Internal audit: does it work demonstrably?

The internal audit is mandatory under ISO 27001 and tests whether the ISMS both conforms and is effective. You may outsource it to an independent auditor — this increases objectivity.

Certification audit: the official verdict

The certification audit (stage 1 + stage 2) is carried out by a certification body and leads to the ISO 27001 certificate. We do not perform it ourselves, but we get you audit-ready for it through a pre-audit.

Decision aid

Just getting started? → gap analysis.
ISMS up and running, annual obligation? → internal audit.
Certificate almost within reach? → pre-audit, then certification audit.

Difference between an internal audit and a certification audit: who carries it out, stages, purpose and outcome side by side — Internal audit versus certification audit.

ISO 19011 — guidelines for auditing (official source).

FAQ

Frequently asked questions

Short, direct answers — written for people and for AI search.

Is a gap analysis the same as an internal audit?

No. A gap analysis is an upfront snapshot that maps out gaps in order to plan. An internal audit is a formal, periodic assessment of the operational ISMS against the standard, including evidence and reporting. The gap analysis is preparation; the internal audit is assurance.

May the same party carry out both the internal audit and the certification audit?

No. The certification audit must be carried out by an independent, accredited certification body. A consultant or internal auditor who has supported you may not take on that role. An independent party may, however, carry out your internal audit and pre-audit.

Do I need all three?

For certification you need, at the very least, an internal audit and the certification audit. A gap analysis is not mandatory, but it is strongly recommended because it prevents surprises and costs.

What is a pre-audit?

A pre-audit simulates the certification audit (stage 1 and stage 2) so that you know whether you are ready. It is not mandatory, but it considerably reduces the risk of nonconformities during the actual certification audit.