Skip to content
FortaRisks
Back to the glossaryCompliance and regulation

Gap analysis

A gap analysis compares an organization's current state against a target framework or objective to identify the gaps to close. In cybersecurity and compliance, it is the starting point of any program: it turns an abstract standard into a prioritized list of actions.

Updated on July 2, 2026

What is a gap analysis?

A gap analysis is a structured assessment that compares an organization's actual state against a reference state: a standard, a regulatory framework or a target maturity level. The result is a clear map of what is already in place, what is partial and what is missing.

It is the step that makes a standard actionable. A framework like ISO 27001 or the NIST CSF does not tell you where you stand: the gap analysis reveals it.

Why it matters for your organization

Without a gap analysis, a compliance program moves blind: you invest where it is visible rather than where it is needed. The exercise lets you size the remaining effort, prioritize actions and build a roadmap you can defend to leadership.

It is also a communication tool: it translates technical requirements into management decisions, with a cost and timeline attached to each gap.

How a gap analysis works

  • Choose the target framework: the standard or maturity level you aim for.
  • Collect evidence: policies, configurations, interviews, existing controls.
  • Assess each requirement: in place, partial or missing.
  • Qualify the gaps: impact, effort and remediation priority.
  • Produce the roadmap: sequenced actions, owners and deadlines.

Where organizations most often fall short

The classic trap is confusing a gap analysis with a simple self-reported questionnaire, with no supporting evidence. A poorly qualified gap leads you to underestimate the real effort. The other mistake is producing a report that leads to no prioritized roadmap: the analysis then stays a finding with no follow-through.

Frequently asked questions

When should you run a gap analysis?

At the start of a compliance project (ISO 27001, SOC 2, NIS2, Law 25), before a certification audit, after a major incident, or when scope or regulation changes significantly. It is also a periodic exercise to track maturity progress over time.

What is the difference between a gap analysis and a risk assessment?

A gap analysis measures the distance to a framework: what is in place versus what is required. A risk assessment evaluates the likelihood and impact of threats to your assets. The two are complementary: the gap tells you what is missing, the risk tells you where to start.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.