What is Gap Analysis?

A Gap Analysis is a structured comparison of an organization's current security controls and documentation against the requirements of a target framework — such as ISO 27001, SOC 2, or NIST CSF — to identify what is missing or incomplete. Its output is a prioritized list of gaps to close before an audit.

A gap analysis matters because it shows, before you spend money on an audit, exactly how far you are from meeting a standard. It prevents the costly surprise of failing a Stage 1 review and lets you sequence remediation work by effort and risk.

For example, a company preparing for SOC 2 might run a gap analysis and find it has access-control and incident-response policies but no formal vendor-risk process or evidence of access reviews — a concrete punch list to work through before the CPA firm arrives.

The analysis depends on knowing each requirement of the target framework, which is where a pre-mapped checklist saves the most time. Templates give you the requirement-by-requirement structure and the policies that close the most common gaps, so your work becomes assessing and remediating rather than researching the standard. The template accelerates readiness; closing the gaps and operating the controls is what gets you through the audit.

Related terms: Risk Assessment · Internal Audit · Statement of Applicability (SoA) · Compliance Audit

Frequently asked questions

When should we do a gap analysis?
Early, before committing to a certification or attestation timeline. It scopes how much remediation is needed and is often the first step a consultant or automation platform performs in a readiness project.
Is a gap analysis the same as an internal audit?
Not quite. A gap analysis is a readiness check that finds missing controls before a program is fully built. An internal audit formally tests an established program for conformity and effectiveness, and ISO 27001 requires it on an ongoing basis.

Toolkits that cover Gap Analysis

ISO/IEC 27001:2022

ISO 27001 Complete Toolkit

All 24 policies and procedures plus the risk register, 93-control Statement of Applicability and audit evidence checklist — audit-ready from day one.

$9930% off with codeView toolkit
SOC 2 Trust Services Criteria

SOC 2 Complete Toolkit

22 policies plus the risk register, full Trust Services Criteria mapping and audit evidence checklist — built for startups facing their first SOC 2.

$9930% off with codeView toolkit
NIST CSF 2.0

NIST CSF 2.0 Complete Toolkit

15 editable policies and plans covering all six CSF 2.0 functions, plus a Profile & Assessment workbook with every one of the 106 subcategories, a risk register, and an audit evidence checklist.

$7930% off with codeView toolkit

Learn more in our ISO/IEC 27001 guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.