<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=323641658531367&amp;ev=PageView&amp;noscript=1">

Step 5: Conduct a Gap Assessment

Prioritize What’s Next

Myopic Mike_BLUE-png-1

Your Compliance GPS

Reveal what’s missing. Prioritize what’s next

Too many organizations dive into security and compliance without knowing their starting point. 

A gap assessment shows exactly where you are and how far you have to go.

It’s where clarity replaces guesswork, and smart prioritization replaces wasted motion.

Whether you're aiming for SOC 2, HIPAA, NIST, ISO 27001, or other frameworks, this step is where your plan becomes real.

A gap assessment helps you...

 

  • Understand Scope: What’s in and what’s out?

  • Understand Scope: What’s in and what’s out?

  • Surface Gaps Early: Before your auditor finds them.

  • Deploy Resources Wisely: By focusing on the high-impact fixes first.
What Should a Gap Assessment Include?

A great gap assessment connects that missing piece to risk, control requirements, and operational impact. Here's what to include:

🗺️

Framework
Mapping

Break your framework into control-level requirements. This might include:

  • SOC 2 Trust Services Criteria

  • NIST CSF or 800-53

  • HIPAA Security Rule

  • ISO 27001 Annex A controls 

📈

Control-by-Control
Review

Address the following questions each control: 

  • Are you currently meeting it? Fully, partially, or not at all?

  • What evidence exists (or is missing)?

  • Are there written policies and proof of implementation?

  • Are controls formalized or just tribal knowledge?

⚠️

Risk
Context

Overlay your risk assessment results to add teeth to your findings:

  • Gaps in high-risk areas = top priority

  • Gaps in low-impact areas = schedule for later

  • The above steps ensure your compliance roadmap is risk-aligned, not checkbox-driven.

📝

Scoring &
Prioritization

Don’t treat every gap the same. Score gaps by:

  •  Severity (How far off are you?)

  • Risk impact (If unaddressed, what’s the consequence?)

  • Effort level (Is this a quick win or a long-term project?)

  • Dependency (Does this block other progress?)

⏱️

Ownership &
Deadlines

Assign every gap a clear owner and a realistic due date.

  • Add gaps to your compliance tracker or task list.
  • Gaps with no owners tend to stay gaps.



⚠️

Leadership
Summary

Create a simplified report for execs:

  • Number of gaps by category

  • Top 5 critical gaps

  • High-effort vs. low-effort wins

  • Progress toward readiness

How to Run a Gap Assessment

No need to boil the ocean. Follow this playbook to get it done:

Insider Syed_BLUE-png

Select Your
Framework(s)

Choose the standards you’re targeting: SOC 2, HIPAA, ISO, etc. If multiple, pick a “primary” and map others to it.

ALIEN_D_BLUE-png

Inventory Your
Current State

Document your policies, procedures, tools, vendors, and evidence repositories. Collect what you have before you focus on what’s missing.

 

Naïve Niamh_BLUE-png

Evaluate
Gaps

Use your GRC platform (or Gap Tracker) to score each control (Fully Met, Partially Met, Not Met) and include notes, evidence links, and screenshots. 

Procrastinator Pete_BLUE-2

Score and
Prioritize

Mark each gap with severity, effort, risk, and urgency. Focus your team on high-risk, low-effort wins first.

Myopic Mike_BLUE-3

Assign and
Track

Add each gap to a tracker or GRC platform, assign an owner, and monitor progress in weekly standups or reviews.

Complacent Colin_BLUE-png

Review with
Leadership

Show them a clear picture: where you are, what’s missing, and what the team is doing to get you audit-ready.

Ready to Create Your Action Plan?

Now that you know your gaps, it’s time to close them. 

We’ll guide you through creating and updating the policies, controls, and safeguards that fill those gaps and keep you compliant.

Create Your Remediation Plan
Return to Roadmap Home
Create Your Remediation Plan

You Might Be Wondering...Kevin Brown, ISO & Director of Professional Services, Ostendio

Kevin Brown

 ISO & Director of Professional Services

Kevin responds to your common questions.
 
Still not sure where to turn? Schedule a chat with Kevin or one of our GRC experts. 
When should I perform a gap analysis?

Ideally, right after your risk assessment—and anytime you’re planning for a new framework or upcoming audit.

It’s especially useful in early program stages to build a focused remediation roadmap.

Many teams also revisit it quarterly or annually to track progress and adjust priorities.

Do I need cybersecurity expertise to run one?

Not necessarily—but it helps. You can start with a structured template or checklist, but experienced security or compliance professionals can provide valuable insight into what’s missing and what matters most.

Some organizations partner with CaaS (Compliance-as-a-Service) providers or GRC software companies (like Ostendio) who offer professional services to deliver expert-led gap assessments without hiring a full team.

How does this differ from a risk assessment?

A risk assessment evaluates threats and their potential impact.

A gap analysis looks at requirements and whether you’re meeting them.

Risk is about what could go wrong; a gap assessment is about what you're currently not doing that you should be.

What resources can I use to help identify security gaps?

Tools like GRC platforms, automated control mappers, and audit readiness checklists can help compare your current practices to framework requirements.

Many organizations also use spreadsheets or internal assessments early on—but these can get messy fast without structure.

View All
Everyone Secure.

Learn more by speaking to one of our experts 

Chat with an Expert
Compliance Glossary
Copyright ©2025 OSTENDIO, INC. · All rights reserved · Privacy Policy · Terms Of Use · Acceptable Use Policy