Why It Matters
You can't fix what you don't know is broken. A gap analysis is the first step in any compliance project — it tells you exactly where you stand, what's missing, and what to prioritize. Whether you're implementing GDPR, preparing for NIS2, or pursuing ISO 27001 certification, the gap analysis defines your roadmap and budget.
How It Works
1. Define the Target
Identify the regulation, standard, or framework you're assessing against:
- GDPR Articles and requirements
- NIS2 security measures
- ISO 27001 Annex A controls
- SOX internal control requirements
2. Assess Current State
For each requirement, evaluate:
- Fully compliant — requirement is met and documented
- Partially compliant — some elements in place but incomplete
- Non-compliant — requirement is not addressed
- Not applicable — requirement doesn't apply to your context
3. Identify Gaps
Document what's missing:
- Missing policies or procedures
- Inadequate technical controls
- Lack of training or awareness
- Insufficient documentation
- Process weaknesses
4. Prioritize and Plan
Rank gaps by:
- Risk level — what's the consequence of non-compliance?
- Effort — how much work to close the gap?
- Dependencies — which gaps must be fixed before others?
- Regulatory deadlines — what must be done by when?
5. Create a Remediation Roadmap
Translate gaps into an actionable plan with owners, timelines, and resource requirements.
Common Gap Analysis Types
| Framework | Key Areas Assessed |
|---|---|
| GDPR | Legal bases, data mapping, rights processes, breach procedures, DPO, DPAs, training |
| NIS2 | Risk management, incident response, supply chain, business continuity, governance |
| ISO 27001 | ISMS scope, risk assessment, 93 Annex A controls, documentation, internal audit |
| SOX | Financial controls, access management, change management, segregation of duties |
| HIPAA | Privacy Rule, Security Rule safeguards, breach notification, BAAs |
Key Regulation
- Gap analysis is not a specific regulatory requirement but is the standard methodology recommended by regulators, auditors, and consultants for achieving compliance with any framework
- ISO 19011 — guidelines for auditing management systems (applicable methodology)