Glossary · Compliance concepts
What is Gap Analysis?
Also known as: Compliance gap analysis, Readiness assessment
A gap analysis compares an organization's current controls against the requirements of a framework to identify what is missing before an audit. It produces a prioritized list of gaps and remediation work. It is typically the first step on the road to certification or attestation.
Key takeaways
- A gap analysis measures the distance between current state and a target framework's requirements.
- Its output is a prioritized list of gaps and the work needed to close them.
- It is usually the first step toward certification or attestation, done before formal audit.
- It is distinct from a risk assessment: gaps are measured against requirements, not against threats.
- It informs scoping, timelines, and resource planning for a compliance project.
What a gap analysis is
A gap analysis is a structured comparison between what an organization currently does and what a target framework, such as ISO 27001 or SOC 2, requires. The output is a clear picture of the gaps: the requirements that are not yet met.
It answers a practical question before a compliance project begins: how far are we from being ready, and what specifically must change? That makes it foundational to planning, because it scopes the work and sets realistic timelines.
Each identified gap is typically rated by effort or priority, so the organization can sequence remediation sensibly rather than tackling everything at once.
How a gap analysis is performed
A gap analysis walks through the target framework requirement by requirement, recording for each whether it is fully met, partially met, or not met, along with the evidence or rationale. The result is a gap register and a remediation roadmap.
- Select the target framework and define scope
- Review each requirement against current practice and evidence
- Classify each as met, partially met, or not met
- Prioritize the gaps and assign remediation owners
- Produce a roadmap with timelines
The findings feed directly into remediation, which often includes implementing or formalizing Annex A controls, improving documentation, and standing up evidence collection.
How it differs from a risk assessment and an audit
A gap analysis is easy to confuse with a risk assessment, but they answer different questions. A gap analysis measures distance from a framework's requirements; a risk assessment measures exposure to threats. A control can be present (no gap) yet still leave residual risk, and a risk can exist where no specific requirement applies.
It also differs from a formal internal audit or certification audit. A gap analysis is a self-directed readiness check, usually informal and forward-looking, whereas an audit is a structured evaluation, often by an independent party, that results in findings or an opinion.
Because it is typically the first step, a thorough gap analysis can save substantial time later by surfacing problems before an auditor does.
Frequently asked questions
- When should I do a gap analysis?
- At the start of a compliance effort, before formal audit work begins, so you understand the scope of remediation and can plan timelines and resources realistically.
- Is a gap analysis the same as an audit?
- No. A gap analysis is a self-directed readiness check that identifies what is missing, while an audit is a formal evaluation, often by an independent party, that produces findings or a certification decision.
- Can I do a gap analysis myself or do I need an external party?
- You can run one internally, and many organizations do, though an experienced external assessor can bring objectivity and familiarity with how auditors interpret requirements.
- What do I do with the results of a gap analysis?
- Turn them into a prioritized remediation roadmap, assigning owners and timelines to close each gap, then re-check progress before scheduling the formal audit.