A gap analysis is a structured assessment that compares an organisation's current security posture, policies and controls against the requirements of a target compliance framework or standard. It systematically evaluates each control requirement to determine whether it is fully met, partially met or not addressed at all, producing a detailed report that highlights the specific gaps between the current state and the desired compliance level.
Gap analysis is typically the first step in any compliance programme, providing a clear roadmap for remediation by identifying which controls need to be implemented, enhanced or documented. It enables organisations to prioritise their compliance efforts based on risk, allocate resources effectively and set realistic timelines for achieving certification. Regular gap analyses also help organisations track their progress and adapt to evolving framework requirements over time.