Internal Audit vs Certification Audit: What's the Difference?
One of the most common questions I get from startups preparing for ISO 27001 is: "If we're going to have a certification audit anyway, why do we need an internal audit first?"
The answer is straightforward: they serve different purposes, and the standard requires both.
What Is an Internal Audit?
An internal audit is a self-assessment conducted by your own team or an independent consultant. It's required by Clause 9.2 of ISO 27001 and must be performed at planned intervals — at minimum annually, and ideally before every certification or surveillance audit.
The purpose of an internal audit is to find and fix problems before the external auditor arrives. Think of it as a practice exam.
Key characteristics
- Conducted by your organization (internal team or hired consultant)
- Auditor must be independent from the processes being audited
- Results are for internal use — they help you improve
- Findings should drive corrective actions
- Required by the standard as evidence of the ISMS operating
What Is a Certification Audit?
A certification audit is conducted by an accredited certification body (like BSI, Schellman, or A-LIGN). It's the formal assessment that determines whether your organization receives an ISO 27001 certificate.
Key characteristics
- Conducted by an accredited third-party certification body
- Results in a pass/fail determination for certification
- Happens in two stages: Stage 1 (document review) and Stage 2 (evidence assessment)
- Findings are formal and may block certification
- Followed by annual surveillance audits to maintain the certificate
Side-by-Side Comparison
| Dimension | Internal Audit | Certification Audit |
|---|---|---|
| Who | Your team or independent consultant | Accredited certification body |
| Purpose | Find gaps and improve | Verify conformity and issue certificate |
| Required by | Clause 9.2 | Your business decision (market demand) |
| Output | Internal report with corrective actions | Certificate (if you pass) |
| Frequency | At least annually | Initial + surveillance audits annually |
| Cost | $300-5,000 depending on scope | $10,000-50,000+ depending on size |
| Consequence of findings | You fix them before certification | May block or delay certification |
How They Work Together
The relationship between internal and certification audits is sequential and complementary:
Internal audit identifies gaps — You discover that access reviews aren't being performed quarterly, incident response plan hasn't been tested, and three policies are overdue for review.
You fix the gaps — Implement corrective actions for each finding: schedule access reviews, run a tabletop exercise, update policies.
Certification audit verifies the fix — The external auditor checks that your ISMS conforms to the standard, including reviewing your internal audit results and corrective actions as evidence that Clause 9.2 is being met.
The external auditor will ask to see your internal audit results. If you haven't done an internal audit, that's an automatic nonconformity on Clause 9.2 — before they even look at your technical controls.
What External Auditors Look for in Your Internal Audit
When the certification auditor reviews your internal audit, they evaluate:
- Scope — Did the internal audit cover the full ISMS, or just the easy parts?
- Independence — Was the internal auditor independent from the areas they assessed?
- Quality of findings — Vague findings like "security could be better" indicate weak internal audit capability
- Follow-through — Were corrective actions actually implemented and tracked to closure?
- Finding balance — An internal audit that finds zero issues is a red flag. Every ISMS has room for improvement.
Common Mistakes
Treating the internal audit as a formality
Some organizations run a superficial internal audit that finds no issues, then get blindsided during the certification audit. If your internal audit consistently finds nothing, your process needs work — not your ISMS.
Waiting until the last minute
Running the internal audit the week before the certification audit defeats the purpose. You need time to implement corrective actions. I recommend scheduling the internal audit 4-6 weeks before the external audit.
Having the ISMS builder audit their own work
The person who designed and implemented your ISMS cannot be the internal auditor. Clause 9.2 requires objectivity and impartiality. At small startups, this usually means bringing in an external consultant.
The Bottom Line
Internal audits find and fix problems. Certification audits verify that problems have been found and fixed. You need both, and the internal audit should always come first.
If you're preparing for your first certification audit, schedule an internal audit to identify gaps while there's still time to address them.
Need an Audit?
Ready to prepare for certification?
Book an ISO 27001 internal audit. $300 flat rate with written findings report.
Book on UpworkAbout the Author
Hazel Castro
ISO 27001 Internal Auditor, Internal ISO Audit
Hazel Castro is a certified ISO 27001 Internal Auditor with 14+ years of experience and over 100 completed audits. She specializes in helping startups and growing companies prepare for and pass ISO 27001 certification through thorough, practical internal audits.
- ISO 27001 Internal Auditor
- ISO 27701 Privacy Lead Implementer
- ISC2 Certified in Cybersecurity (CC)
- Certified Public Accountant (CPA)