Gap analysis is a structured comparison between a current state and a defined target state, producing a ranked list of named gaps and a plan to close them. The target is usually a framework (ISO 27001, SOC 2, HIPAA), a strategic goal, or an internal standard. The deliverable is a gap register, not a slide deck.
Gap analysis is the structured comparison between where an organization, program, or process currently sits and where it needs to sit against a defined target, named at the level of individual requirements. The output is a register of specific gaps, each with severity, scope, owner, effort, and a dated remediation plan.
The pattern shows up everywhere a target state is non-negotiable and the current state is uncertain: a compliance framework an organization wants to certify against, a strategic plan with measurable outcomes, a maturity model the program is climbing, a benchmark a function is tracking. The shape of the work is the same; the target state moves.
Where things actually stand today, evidenced by policies, runbooks, logs, prior audit findings, and observed workflow runs. Not self-reported scores.
The destination, written in concrete, measurable terms. A framework's control list, an internal standard, a strategic objective with KPIs.
The named, ranked difference between the two, expressed as a falsifiable claim a reviewer could check, not as a heat-map color.
“A gap analysis is the variance between the KPIs of your current state and your desired future state, with a plan to close it. Without the variance, you have a checklist. Without the plan, you have a complaint.”
Boards, regulators, customers, and auditors keep asking the same question in different words: do you know what is missing, and do you have a plan? A gap analysis is the cheapest way to produce a defensible answer.
Auditors expect a pre-audit gap analysis before stage 1 or kickoff. Showing one with a remediation plan in flight changes the audit from discovery to verification.
When an enterprise prospect asks 'where are you on ISO 27001?', a gap register answers in dates, not adjectives. Procurement reads dates.
Gaps that breach risk appetite are the ones to fund this quarter. Gaps inside appetite go on the watchlist. The register makes that conversation possible.
Quarter-over-quarter gap closure rate is a leading indicator of program health. A flat line means the team is firefighting, not maturing.
One closed gap often lifts the score on three frameworks at once. The economics of compliance live in cross-mapping; the gap register is the substrate.
Outside compliance, gap analysis is the bridge between a strategy slide and a funded plan. The Project Management Institute treats it as a core strategy-execution tool.
The four steps repeat across every variant: current state, target state, identify the gaps, plan how to close them. Labels drift across reference works (Asana, ClearPoint, PMI), the shape does not.
Document where things actually stand today, with evidence, not from memory. For a compliance gap analysis that means pulling every existing policy, control, runbook, and prior audit finding against the framework's control list. For a process gap analysis it means watching the workflow run end-to-end. Anchor every answer to a piece of evidence (policy ID, screenshot, log sample), not to a self-reported score.
Write the destination in concrete, measurable terms. For ISO 27001 the target is the 93 Annex A controls operating at the maturity the certification body expects. For SOC 2 it is the 64 TSC criteria with evidence covering the audit period. For an internal program it might be 'every quartile-one risk has an owner and a target residual score within risk appetite.' Vague targets produce vague action plans.
Score every requirement against the current state. Most teams use a four-level scale: not implemented, partial, mostly implemented, fully implemented and tested. Capture the gap statement, the affected scope, the severity, and the rough effort to close. The output is a ranked list of named gaps, each one a falsifiable claim an auditor or peer reviewer could check.
Turn the gap register into a remediation plan with owners, dates, and acceptance criteria. Phase the plan against business reality: which gaps block the next audit, which gaps the auditor will accept with a remediation roadmap, which gaps tie back to risks already on the register. A plan without dates and owners is a list of opinions, not a path to a clean assessment.
The four steps are a cycle, not a checklist. The first run produces the baseline; the second through tenth runs are lighter because the delta from the last cycle is small. Programs that treat gap analysis as an annual sprint rediscover the same gaps every spring.
The compliance variant is the most common use of gap analysis and the one buyers usually mean when they search the term. Four frameworks drive the bulk of practitioner work; the shape of each varies, the four steps do not.
RiskWatch publishes a free per-framework checklist for the common compliance gap analyses, each one a pre-formatted gap register with the columns covered above and the relevant requirement IDs already loaded.
In a risk program the gap analysis sits one layer above the risk register. The risk register tracks what could go wrong and the controls in place. The gap analysis asks whether those controls match the standard the program is held to, and whether the program has the capability to operate them reliably.
Two flavors show up most often: control gap analysis (does each control on the register match its requirement?) and capability gap analysis (does the team have the people, tooling, and skills to run the controls at the target maturity?). The first is a row-by-row check; the second is a program-level reckoning.
A control gap raises (or creates) a risk on the risk register: the residual score on every risk that depended on the failing control should lift the moment the gap is logged, and drop back when the remediation passes retest. On one platform that happens automatically; in spreadsheets it is the step that always breaks.
Three exercises that get confused in proposal language and meeting notes, with three different inputs, outputs, and cadences. The shortcut: a gap measures distance from a target, a needs analysis surfaces what is required to act, a risk assessment asks what could go wrong.
| Exercise | Core question | Inputs | Output | When to run it |
|---|---|---|---|---|
| Gap analysis | Where are we now versus where we want to be? | A target state (framework, standard, internal goal) and an evidence-backed view of the current state. | A ranked list of named gaps with severity, scope, owner, and a remediation plan. | Before a framework assessment, before a strategic plan, when entering a new market or compliance regime. |
| Needs analysis | What does the user, role, or program require? | Stakeholder interviews, workflow shadowing, role descriptions, training records, performance data. | A prioritized set of needs (training, capability, resource, content) with a delivery plan. | Before designing a training program, hiring plan, or system rollout. |
| Risk assessment | What could go wrong, how likely, how bad, what to do about it? | Asset inventory, threats, vulnerabilities, existing controls, business impact. | A risk register with inherent and residual scores, controls, treatments, and KRIs. | Continuously, with formal cycles annually and triggered reassessments on material events. |
A working template has ten columns. Skipping any of them produces a register that survives the first meeting and fails the second. Below is the minimum viable structure, aligned to the way assessors and auditors read evidence.
Spreadsheets work for one framework and one assessor. The moment a second framework or a third business unit joins, the cross-mapping (the same control evidencing five frameworks) starts breaking. Platforms exist because that breakage is expensive.
RiskWatch ships per-framework Question Registers (the template above, pre-loaded for ISO 27001, SOC 2, HIPAA, PCI DSS, NIST 800-53, and 35+ other frameworks), a gap-score formula that runs across an assessment as it fills, and Cross Mapping so one closed gap updates every framework that depended on the underlying control.
Six failure modes that show up across the practitioner teardowns of compliance gap analyses, observed in Sprinto, Thoropass, Vanta, and AICPA write-ups. Knowing the names cuts the cost of avoiding them.
Asking a control owner 'are we doing this?' and writing down the answer is not a gap analysis, it is a survey. Tie every score to a piece of evidence the assessor can re-pull. If the evidence is missing, the score is 'not implemented' until proven otherwise.
Teams scope to a framework version that ships in 18 months and call current-state controls 'gaps.' That is a roadmap, not a gap analysis. Anchor the target state to the version of the standard the next audit will use.
A single 'partial' hides whether 1 of 5 sub-controls passes or 4 of 5 do. Split by sub-control or business unit so the gap register is actionable. The auditor will split it; you may as well do it first.
Gaps get closed, then drift. Build a retest cadence into the plan: every closed gap is retested at 90 days, again before the audit, then folded into the continuous-monitoring control test schedule.
Mature programs run a lightweight gap analysis quarterly against the active frameworks, not a single annual sprint. The continuous version is cheaper because the delta from the last cycle is small.
Running an ISO 27001 gap analysis without checking which gaps also affect SOC 2 or NIST 800-53 wastes the most valuable byproduct: a single closed gap that lifts the score on every framework that depended on the same control.
Standards bodies and primary regulators behind the framework gap analyses on this page:
Ten questions practitioners actually ask, sourced from People-Also-Ask data on the head term and aligned to how AICPA, ISO, and HHS define the underlying terms.
Pre-loaded Question Registers for 40+ frameworks, a gap-score formula that runs across every assessment, and Cross Mapping so one closed gap updates every framework that depended on the control. Start with a free checklist or run the full assessment on RiskWatch.
No credit card required · 30-day free trial · Cancel anytime
