The word audit gets used for at least four different activities in the ISO world, and the confusion is not accidental: providers routinely describe gap analyses as audits because audit sounds weightier on a proposal. Buying the wrong one wastes money in both directions. Organisations commission formal audits when a gap analysis would have answered their question for less, and organisations walk into certification audits cold when a gap analysis would have saved the assessment. Here is the practical taxonomy, and how to work out which one you need.
Gap analysis: where are we against the standard?
A gap analysis compares your current arrangements against the requirements of a standard, typically before you have committed to implementation or certification. It is diagnostic, not pass or fail, and usually a one-off rather than a recurring obligation. The output should be a prioritised roadmap, not a list: what you already have that counts, what is missing, what exists but would not survive scrutiny, and a realistic view of the effort and sequence to close the distance. If a proposal offers you a gap analysis whose deliverable is a spreadsheet of clause numbers marked red, amber, and green with no view on effort or order, you are buying a list.
Anyone competent can perform a gap analysis, internal or external, because no independence rules apply. It is the right tool when you are deciding whether to pursue certification, scoping the work, or have been asked by a client whether you could achieve a standard and need an honest answer before promising one.
Internal audit: is our own system working?
Once an ISMS exists, ISO 27001 clause 9.2 requires you to audit it yourself at planned intervals. The internal audit checks both that the system conforms to the standard and to your own policies, and that it is operating in practice. Two things distinguish it from a gap analysis: it is mandatory and recurring, and it must be impartial. The person who built or runs the ISMS cannot meaningfully audit it, which is why smaller organisations routinely outsource internal audit. Skipping it, or having it performed by the system's own author, is among the most common reasons certification audits go badly.
Certification audits: Stage 1, Stage 2, and the cycle
Certification audits are performed only by an accredited certification body, never by your consultants, and never by yourself. Stage 1 reviews whether your ISMS is designed and established enough to assess; Stage 2 tests whether it works in practice, through evidence and interviews. Pass Stage 2 and you are certified for a three-year cycle, punctuated by annual surveillance audits that sample the system, and a full recertification at the end of the cycle. The practical implication people miss: certification is not an event but a standing commitment, and the surveillance audits are where unmaintained systems get caught.
The decision in one pass
- No formal ISMS yet, or unsure what certification would take: gap analysis. Commissioning any form of audit at this stage buys you an expensive list of things you already suspected.
- ISMS built, certification audit approaching: internal audit first, then close its findings. It is required, and it is the cheapest rehearsal you will get.
- Certified, and the system feels like it is drifting: a health check or focused gap analysis against your own SoA, ideally before the surveillance audit finds the drift for you.
- A client or tender demands certification: gap analysis to size the commitment honestly, then a decision. Promising a certificate before sizing the work is how eighteen-month projects get sold internally as ninety-day ones.
The distinction that matters most
A gap analysis tells you the distance. An audit tests the system. One is a map, the other is an examination, and the order is not optional: map first, examination second. Organisations that get this sequence right spend less in total and pass first time. Organisations that get it backwards pay for the same discovery twice, once in audit fees and once in remediation under deadline pressure.
Not sure which you need?
Our gap analysis gives you the prioritised roadmap, and the management system health check is the lighter-touch option for systems already in operation. Either way, you get an honest answer before you commit to anything bigger.