Gap Analysis Process
6 StepsDefine the Baseline
Choose your target: NIST SP 800-171, ISO/IEC 27001, or a custom framework. Cannot measure gaps without a target state.
Evaluate People
Assess IT security staff: formal training, certifications, knowledge of policies. Identify human capability gaps.
Evaluate Processes
Compare existing IT systems and procedures against the baseline requirements. Document what exists vs. what's required.
Analyze Weaknesses
Break broad requirement categories into specific sub-requirements. Identify gaps at the granular level. Compare with best practices for remediation approaches.
Create the Report Matrix
Compile findings into a color-coded matrix (Red/Yellow/Green) across all locations/departments. Prioritize Red β Yellow β Green.
Build the Remediation Roadmap
Document the path from current to desired state: what actions, what costs, what timeline, what change control procedures are required.
Sample Traffic Light Matrix
Example Output| Requirement | Campus 1 | Campus 2 | Campus 3 | Campus 4 | Campus 5 | Campus 6 | Campus 7 |
|---|---|---|---|---|---|---|---|
| Access Control | β | β | β | β | β | β | β |
| Incident Response | β | β | β | β | β | β | β |
| Patch Management | β | β | β | β | β | β | β |
| Security Training | β | β | β | β | β | β | β |
π΄ Red = significant gaps, high priority. π‘ Yellow = partial compliance. π’ Green = close to baseline.
Baseline Comparison
| Baseline | Scope | Best For |
|---|---|---|
| NIST SP 800-171 Rev 2 | Nonfederal orgs handling CUI | US gov contractors, defense, research |
| ISO/IEC 27001 | General ISMS, international | Any organization, global compliance |
| Custom Baseline | Organization-specific requirements | Unique regulatory environments (HIPAA, PCI-DSS) |