IronSights

Compliance & governance

Gap analysis

An assessment that compares an organisation's current security posture against a target framework or standard, identifying the specific controls that are missing, partially implemented, or not meeting required maturity levels.

Also known assecurity gap analysiscontrol gap analysis

In plain English

A gap analysis answers the question: "What do we need to do to meet this standard?" It maps your current controls against the requirements of a framework — the Essential Eight, ISO 27001, or a client's security questionnaire — and produces a prioritised list of what needs to change, giving you a clear remediation roadmap.

Full definition

A gap analysis starts with a framework and works through each control systematically. For , that means going through each of the eight mitigation strategies and assessing current maturity against the defined maturity levels. For , it maps existing controls against Annex A. The output is not a pass or fail score; it is a list of specific findings, each with enough detail to hand to a technical team and say: fix this.

The scenarios where this matters in practice: a business tendering for a government contract that requires Essential Eight 2; a CFO who has received a client security questionnaire asking about , access controls, and ; a board that wants to understand actual exposure before renewing . In each case, the gap analysis answers the same question: where are we now relative to where we need to be?

Testing versus documentation

A good gap analysis is not a checklist exercise. The difference between a gap analysis and a real assessment is that the real one tests whether controls work, not just whether a policy document says they exist. Having a patch management policy written down does not mean patches are being applied. Having listed as a control does not mean it is enabled for all accounts. On-site testing, log review, and configuration checks are what turn a document review into something you can actually rely on.

Keep learning

More terms in the IronSights Glossary.