Gap Analysis: Definition and Compliance Guide

Why It Matters

You can't fix what you don't know is broken. A gap analysis is the first step in any compliance project — it tells you exactly where you stand, what's missing, and what to prioritize. Whether you're implementing GDPR, preparing for NIS2, or pursuing ISO 27001 certification, the gap analysis defines your roadmap and budget.

How It Works

1. Define the Target

Identify the regulation, standard, or framework you're assessing against:

GDPR Articles and requirements
NIS2 security measures
ISO 27001 Annex A controls
SOX internal control requirements

2. Assess Current State

For each requirement, evaluate:

Fully compliant — requirement is met and documented
Partially compliant — some elements in place but incomplete
Non-compliant — requirement is not addressed
Not applicable — requirement doesn't apply to your context

3. Identify Gaps

Document what's missing:

Missing policies or procedures
Inadequate technical controls
Lack of training or awareness
Insufficient documentation
Process weaknesses

4. Prioritize and Plan

Rank gaps by:

Risk level — what's the consequence of non-compliance?
Effort — how much work to close the gap?
Dependencies — which gaps must be fixed before others?
Regulatory deadlines — what must be done by when?

5. Create a Remediation Roadmap

Translate gaps into an actionable plan with owners, timelines, and resource requirements.

Common Gap Analysis Types

Framework	Key Areas Assessed
GDPR	Legal bases, data mapping, rights processes, breach procedures, DPO, DPAs, training
NIS2	Risk management, incident response, supply chain, business continuity, governance
ISO 27001	ISMS scope, risk assessment, 93 Annex A controls, documentation, internal audit
SOX	Financial controls, access management, change management, segregation of duties
HIPAA	Privacy Rule, Security Rule safeguards, breach notification, BAAs

Key Regulation

Gap analysis is not a specific regulatory requirement but is the standard methodology recommended by regulators, auditors, and consultants for achieving compliance with any framework
ISO 19011 — guidelines for auditing management systems (applicable methodology)

Framework

Key Areas Assessed

GDPR

Legal bases, data mapping, rights processes, breach procedures, DPO, DPAs, training

NIS2

Risk management, incident response, supply chain, business continuity, governance

ISO 27001

ISMS scope, risk assessment, 93 Annex A controls, documentation, internal audit

SOX

Financial controls, access management, change management, segregation of duties

HIPAA

Privacy Rule, Security Rule safeguards, breach notification, BAAs

Gap Analysis

Why It Matters

How It Works

1. Define the Target

2. Assess Current State

3. Identify Gaps

4. Prioritize and Plan

5. Create a Remediation Roadmap

Common Gap Analysis Types

Key Regulation

NIS2 Directive: Who Must Comply? The Definitive Guide to Scope, Sectors, and Obligations in 2026

What Is the EU AI Act? The Complete Guide to Requirements and Compliance in 2026

Foreign Corrupt Practices Act (FCPA): The Complete Compliance Guide for 2026

Want more than the definition?

Gap Analysis

Why It Matters

How It Works

1. Define the Target

2. Assess Current State

3. Identify Gaps

4. Prioritize and Plan

5. Create a Remediation Roadmap

Common Gap Analysis Types

Key Regulation

NIS2 Directive: Who Must Comply? The Definitive Guide to Scope, Sectors, and Obligations in 2026

What Is the EU AI Act? The Complete Guide to Requirements and Compliance in 2026

Foreign Corrupt Practices Act (FCPA): The Complete Compliance Guide for 2026

Want more than the definition?