What is a gap analysis?
A gap analysis is a structured assessment that compares an organization's actual state against a reference state: a standard, a regulatory framework or a target maturity level. The result is a clear map of what is already in place, what is partial and what is missing.
It is the step that makes a standard actionable. A framework like ISO 27001 or the NIST CSF does not tell you where you stand: the gap analysis reveals it.
Why it matters for your organization
Without a gap analysis, a compliance program moves blind: you invest where it is visible rather than where it is needed. The exercise lets you size the remaining effort, prioritize actions and build a roadmap you can defend to leadership.
It is also a communication tool: it translates technical requirements into management decisions, with a cost and timeline attached to each gap.
How a gap analysis works
- Choose the target framework: the standard or maturity level you aim for.
- Collect evidence: policies, configurations, interviews, existing controls.
- Assess each requirement: in place, partial or missing.
- Qualify the gaps: impact, effort and remediation priority.
- Produce the roadmap: sequenced actions, owners and deadlines.
Where organizations most often fall short
The classic trap is confusing a gap analysis with a simple self-reported questionnaire, with no supporting evidence. A poorly qualified gap leads you to underestimate the real effort. The other mistake is producing a report that leads to no prioritized roadmap: the analysis then stays a finding with no follow-through.