Gap analysis
A structured comparison between an organization's current state (policies, controls, evidence) and a target state defined by a standard or framework. Outputs a prioritized list of differences (gaps) and remediation actions.
A gap analysis is the standard pre-audit deliverable in compliance work. It answers the question: "Where are we relative to what's required, and what would it take to close the difference?"
A useful gap analysis has four columns:
- Requirement — the control or clause from the target framework (e.g. ISO 27001 A.8.2 Privileged access rights).
- Current state — what the organization actually has in policy and practice.
- Gap — the specific difference between requirement and current state.
- Remediation action — the concrete step to close the gap, with an owner and a due date.
AI-assisted gap analyses can produce all four columns directly from the source documents, which historically required a consultant to spend several days reading.
Gap analysis is not the same as a certification audit. A gap analysis is what you do first to know whether you're ready. The certification audit is what an accredited body does to issue a certificate.
A typical use case: a Thai SME planning ISO 27001 certification in 12 months runs a quarterly gap analysis. Each quarter the team closes the highest-priority 10 gaps. By the time the certification audit happens, the report is mostly green.