Chapter 5 Β· Helper 2

Concept Map

Gap analysis process flow and example traffic light matrix.

Gap Analysis Process

6 Steps
1

Define the Baseline

Choose your target: NIST SP 800-171, ISO/IEC 27001, or a custom framework. Cannot measure gaps without a target state.

2

Evaluate People

Assess IT security staff: formal training, certifications, knowledge of policies. Identify human capability gaps.

3

Evaluate Processes

Compare existing IT systems and procedures against the baseline requirements. Document what exists vs. what's required.

4

Analyze Weaknesses

Break broad requirement categories into specific sub-requirements. Identify gaps at the granular level. Compare with best practices for remediation approaches.

5

Create the Report Matrix

Compile findings into a color-coded matrix (Red/Yellow/Green) across all locations/departments. Prioritize Red β†’ Yellow β†’ Green.

6

Build the Remediation Roadmap

Document the path from current to desired state: what actions, what costs, what timeline, what change control procedures are required.

Sample Traffic Light Matrix

Example Output
RequirementCampus 1Campus 2Campus 3Campus 4Campus 5Campus 6Campus 7
Access Control●●●●●●●
Incident Response●●●●●●●
Patch Management●●●●●●●
Security Training●●●●●●●

πŸ”΄ Red = significant gaps, high priority. 🟑 Yellow = partial compliance. 🟒 Green = close to baseline.

Baseline Comparison

BaselineScopeBest For
NIST SP 800-171 Rev 2Nonfederal orgs handling CUIUS gov contractors, defense, research
ISO/IEC 27001General ISMS, internationalAny organization, global compliance
Custom BaselineOrganization-specific requirementsUnique regulatory environments (HIPAA, PCI-DSS)