<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=323641658531367&amp;ev=PageView&amp;noscript=1">

Step 4: Conduct a Gap Assessment

Prioritize What’s Next

Myopic Mike_BLUE-png-1

Your Compliance GPS

Reveal What’s Missing. Prioritize What’s Next

Too many organizations dive into security and compliance without knowing their starting point. 

A gap assessment shows exactly where you are and how far you have to go.

It’s where clarity replaces guesswork, and smart prioritization replaces wasted motion.

Whether you're aiming for SOC 2, HIPAA, NIST, ISO 27001, or other frameworks, this step is where your plan becomes real.

A gap assessment helps you...

 

  • Understand Scope: What’s in and what’s out?

  • Understand Scope: What’s in and what’s out?

  • Surface Gaps Early: Before your auditor finds them.

  • Deploy Resources Wisely: By focusing on the high-impact fixes first.
What Should a Gap Assessment Include?

A great gap assessment connects that missing piece to risk, control requirements, and operational impact. Here's what to include:

🗺️

Framework
Mapping

Break your framework into control-level requirements. This might include:

  • SOC 2 Trust Services Criteria

  • NIST CSF or 800-53

  • HIPAA Security Rule

  • ISO 27001 Annex A controls 

📈

Control-by-Control
Review

Address the following questions each control: 

  • Are you currently meeting it? Fully, partially, or not at all?

  • What evidence exists (or is missing)?

  • Are there written policies and proof of implementation?

  • Are controls formalized or just tribal knowledge?

⚠️

Risk
Context

Overlay your risk assessment results to add teeth to your findings:

  • Gaps in high-risk areas = top priority

  • Gaps in low-impact areas = schedule for later

  • The above steps ensure your compliance roadmap is risk-aligned, not checkbox-driven.

📝

Scoring &
Prioritization

Don’t treat every gap the same. Score gaps by:

  •  Severity (How far off are you?)

  • Risk impact (If unaddressed, what’s the consequence?)

  • Effort level (Is this a quick win or a long-term project?)

  • Dependency (Does this block other progress?)

⏱️

Ownership &
Deadlines

Assign every gap a clear owner and a realistic due date.

  • Add gaps to your compliance tracker or task list.
  • Gaps with no owners tend to stay gaps.



⚠️

Leadership
Summary

Create a simplified report for execs:

  • Number of gaps by category

  • Top 5 critical gaps

  • High-effort vs. low-effort wins

  • Progress toward readiness

How to Run a Gap Assessment

No need to boil the ocean. Follow this playbook to get it done:

Insider Syed_BLUE-png

Select Your
Framework(s)

Choose the standards you’re targeting: SOC 2, HIPAA, ISO, etc. If multiple, pick a “primary” and map others to it.

ALIEN_D_BLUE-png

Inventory Your
Current State

Document your policies, procedures, tools, vendors, and evidence repositories. Collect what you have before you focus on what’s missing.

 

Naïve Niamh_BLUE-png

Evaluate
Gaps

Use your GRC platform (or Gap Tracker) to score each control (Fully Met, Partially Met, Not Met) and include notes, evidence links, and screenshots. 

Procrastinator Pete_BLUE-2

Score and
Prioritize

Mark each gap with severity, effort, risk, and urgency. Focus your team on high-risk, low-effort wins first.

Myopic Mike_BLUE-3

Assign and
Track

Add each gap to a tracker or GRC platform, assign an owner, and monitor progress in weekly standups or reviews.

Complacent Colin_BLUE-png

Review with
Leadership

Show them a clear picture: where you are, what’s missing, and what the team is doing to get you audit-ready.

Ready to Create Your Action Plan?

Now that you know your gaps, it’s time to close them. 

We’ll guide you through creating and updating the policies, controls, and safeguards that fill those gaps and keep you compliant.

Create Your Remediation Plan
Return to Roadmap Home
Create Your Remediation Plan
Copyright ©2025 OSTENDIO, INC. · All rights reserved · Privacy Policy · Terms Of Use · Acceptable Use Policy