If you've ever been asked by a client, auditor, or board member "are we compliant?" and felt the dread of not having a clear answer — a compliance gap analysis is where you start.

This guide walks you through exactly how to do one, whether you're preparing for ISO 27001 certification, getting ready for a NIS2 audit, or just trying to understand where your organisation actually stands.

What Is a Compliance Gap Analysis?

A compliance gap analysis is a structured comparison between where your organisation is today — your current controls, policies, and processes — and where a specific standard or regulation requires you to be.

The output is a clear picture of:

• What you already have in place that satisfies the requirement
• What's partially in place but needs strengthening
• What's missing entirely

It's not a pass/fail assessment. It's a diagnostic. Think of it like an MOT for your compliance programme — it tells you what needs fixing before you go for the official test.

When Should You Run a Gap Analysis?

Most organisations trigger a gap analysis around a specific event, but the most mature compliance programmes run them on a regular cycle. Common triggers include:

Before pursuing a certification — ISO 27001, SOC 2, Cyber Essentials Plus. A gap analysis before you engage an auditor saves you from expensive surprises mid-audit.

When a new regulation applies to you — NIS2, DORA, and the EU AI Act are all creating new obligations for UK and EU businesses. Understanding your gap early gives you time to remediate rather than scramble.

After a security incident — incidents often expose process failures that weren't visible in normal operations. A post-incident gap analysis surfaces the systemic weaknesses, not just the immediate cause.

Annually as part of your compliance calendar — regulations change, your business changes, and your controls drift. Annual reviews keep you from discovering gaps at the worst possible time.

The 5-Step Gap Analysis Process

Step 1: Define Your Scope and Target Framework

Before you start assessing anything, you need to be clear on two things: which standard you're measuring against, and which parts of your business are in scope.

Choosing your framework depends on what's driving the analysis:

If you're targeting multiple frameworks, start with the most comprehensive one (usually ISO 27001) — there's significant overlap with others, so you're not starting from scratch each time.

Scoping the business means deciding which departments, systems, processes, and locations are included. For a small or mid-sized business, it's often simplest to include everything. For larger organisations, you might scope to a specific business unit or product line.

Document this clearly before you start. Scope creep mid-analysis is one of the most common reasons gap analyses stall.

Step 2: Gather Your Current State Evidence

This is where most organisations underestimate the effort involved. You need actual evidence of your current controls — not what people think is in place, but what can be demonstrated.

For each area of the framework, you're looking for:

• Policies and procedures — do they exist, are they current, are they approved?
• Technical controls — are they configured and operating as intended?
• Training records — has staff training actually happened and been documented?
• Audit logs and monitoring — are systems generating evidence of operation?
• Third-party assessments — pen tests, vulnerability scans, supplier audits

The most efficient way to do this is through a combination of document reviews and interviews with control owners. Don't rely solely on what people tell you — ask to see the evidence.

Practical tip for SMBs: If you're managing this on spreadsheets, create a tab per control domain and use a simple RAG (Red/Amber/Green) status alongside a column for "evidence location." This becomes your working document throughout the process.

Step 3: Assess Each Requirement

With your evidence gathered, you can now assess each requirement against a consistent scale. We recommend four statuses:

Example assessment for ISO 27001 Annex A:

Be honest in your assessments. The temptation is to mark things amber when they're really red. The only person that hurts is you when the auditor disagrees.

Step 4: Prioritise and Build Your Remediation Roadmap

Not all gaps are equal. A missing encryption control on a system holding sensitive customer data is a different risk profile to an outdated acceptable use policy. Your remediation plan needs to reflect this.

Prioritisation criteria to consider:

• Regulatory risk — is this gap a direct violation that could trigger enforcement action?
• Audit risk — would this gap cause a finding or non-conformity in a formal audit?
• Business risk — what's the actual likelihood and impact of this gap being exploited?
• Effort to fix — some gaps are quick wins (update a document), others require significant technical work

A simple risk matrix scoring each gap on likelihood × impact gives you a defensible prioritisation. Don't overthink it — a 3×3 matrix is enough for most SMBs.

For each remediation item, document:

• The gap description
• The owner (name, not just job title)
• Target completion date
• Resources required
• Current status

Review this tracker monthly. Gaps that sit in a spreadsheet with no owner and no deadline don't get fixed.

Step 5: Validate and Close the Loop

Once remediation work is done, you need to verify it actually closed the gap — not just that someone said they did it.

Validation approaches:

• Document review — confirm the updated policy or procedure exists and is approved
• Technical testing — for security controls, test that they work (scan the system, attempt the access, check the log)
• Process walkthroughs — have the control owner demonstrate the process end-to-end
• Sample testing — check a sample of records to confirm the control is operating consistently

After validation, update your gap analysis status and document the evidence. This becomes part of your audit trail.

Then set a review cadence. Controls drift. Staff change. Systems get updated. Build gap analysis reviews into your annual compliance calendar so you're not starting from scratch next time.

Common Mistakes That Undermine Gap Analyses

Treating it as a one-person job. Compliance touches IT, HR, legal, operations, and finance. If your gap analysis is done by one person without input from control owners, you'll miss things — or worse, document controls that don't actually exist.

Assessing against the wrong version of a standard. ISO 27001:2022 has different controls to ISO 27001:2013. GDPR has different requirements to the UK GDPR post-Brexit. Make sure you're assessing against the current, applicable version.

Confusing policy with practice. Having an access control policy doesn't mean your access controls are working. The gap analysis needs to assess actual implementation, not documentation alone.

No ownership of gaps. A gap analysis that produces a list of findings with no assigned owners will sit untouched. Every gap needs a person accountable for fixing it.

Scope too broad for the team. For a small internal team conducting a first gap analysis, trying to assess all 93 controls of ISO 27001 in one go is overwhelming. Consider phasing it — start with the highest-risk domains and work outward.

Gap Analysis vs Risk Assessment: What's the Difference?

These two terms often get confused, and they're related but distinct.

A gap analysis tells you whether your controls meet the requirements of a specific standard. It's framework-focused and binary: you either meet the requirement or you don't.

A risk assessment tells you the likelihood and impact of specific threats materialising. It's threat-focused and context-specific to your business.

In practice, they feed each other. Your gap analysis tells you which controls are missing; your risk assessment tells you which of those missing controls represent the biggest actual risk to your business. Together they give you a complete picture and a defensible prioritisation.

For ISO 27001, both are required — the standard expects you to identify risks and implement controls that address them, with a gap analysis helping you understand the current state of those controls.

How Long Does a Gap Analysis Take?

It depends on the size of your organisation, the framework, and how well-documented your current controls are. As a rough guide:

These assume you're doing it properly — gathering evidence, interviewing control owners, not just ticking boxes.

If you're using a GRC platform that already maps your controls to the framework and tracks evidence automatically, you can cut this significantly. The data-gathering phase (typically the longest part) becomes much faster when your controls are already documented in a system rather than scattered across email threads and shared drives.

Free Gap Analysis Templates

If you're just starting out and want to run a gap analysis manually, we've built free templates for the most common frameworks:

• ISO 27001 Annex A Controls Checklist — all 93 controls mapped with status tracking
• SOC 2 Control Checklist — Trust Services Criteria coverage
• GDPR Processor Register — Article 30 records of processing activities

These are Excel-based and free to download. They'll get you started, though as your compliance programme matures you'll likely want something that tracks evidence, assigns owners, and generates reports automatically.

How SnapGRC Handles Gap Analysis

Manual gap analyses in spreadsheets work — up to a point. The problems start when:

• Multiple people are updating the same spreadsheet and versions get out of sync
• You need to track remediation progress and chase owners
• An auditor asks for evidence and it's scattered across shared drives
• You're managing compliance across multiple frameworks simultaneously

SnapGRC maps your controls to 50+ frameworks out of the box, so when you assess a control, it automatically shows you which requirements across ISO 27001, Cyber Essentials, GDPR, and others it satisfies. You're not doing the same work multiple times.

Gap reports are generated automatically based on your control statuses, with a clear view of what's compliant, what's in progress, and what still needs attention.

If you're managing compliance for multiple clients as an MSP, the multi-tenant architecture means each client has their own instance with its own gap analysis, controls, and evidence — no data mixing, no spreadsheet chaos.

See how SnapGRC handles gap analysis →

Summary

A compliance gap analysis is not a one-time box-ticking exercise. Done properly, it's the foundation of an ongoing compliance programme — giving you a clear picture of where you stand, what needs fixing, and how to prioritise your effort.

The five steps are straightforward:

1. Define your scope and target framework
2. Gather evidence of your current controls
3. Assess each requirement honestly
4. Prioritise gaps and build a remediation roadmap
5. Validate fixes and set a review cadence

The hard part isn't the methodology — it's the discipline to gather real evidence, assign real owners, and follow through on remediation. A GRC platform can take a lot of the friction out of that process, but the fundamentals apply whether you're using a spreadsheet or dedicated software.

If you're not sure where to start, our free framework checklists above give you a structured starting point you can use today.

SnapGRC is a compliance management platform built for SMBs and MSPs. We make the same compliance outcomes achievable at a fraction of the cost of enterprise GRC tools. Learn more →