Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.2.3. Gap Analysis

šŸ’” First Principle: A gap analysis compares where you are now to where you need to be, then documents the specific gaps. In security, this means measuring your current posture against a target baseline ā€” a framework, a compliance standard, or a policy ā€” and identifying what's missing. Without gap analysis, security improvement is guesswork.

The process follows a clear structure:

  1. Define the target state ā€” what does the standard require? (e.g., NIST CSF Tier 3 maturity, PCI DSS 4.0 full compliance, ISO 27001 certification readiness)
  2. Assess the current state ā€” what controls exist today? Use interviews, document reviews, technical assessments, and tool outputs to build an accurate picture.
  3. Identify gaps ā€” where do requirements exceed current capabilities? Each gap should be specific and measurable, not vague ("need better security").
  4. Create a remediation plan ā€” how will gaps be closed, by when, by whom, and at what cost? Prioritize by risk and compliance impact.

Gap analysis appears in multiple exam contexts: compliance assessments (comparing against PCI DSS, HIPAA, SOC 2 requirements), maturity models (comparing against NIST CSF tiers or CMMI levels), internal audits (comparing against organizational policies and standards), and vendor assessment (comparing vendor security against your requirements). The output is always a prioritized list of gaps with remediation actions.

Technical gap analysis specifically examines security controls: do you have encryption at rest? Is MFA enforced for all admin accounts? Are logs retained for the required period? Each "no" is a documented gap with an associated risk.

Gap analysis as a living process ā€” gaps change as the environment evolves, new threats emerge, and standards are updated. An initial gap analysis establishes the baseline; periodic reassessment tracks progress and identifies new gaps.

āš ļø Exam Trap: Gap analysis identifies what's missing; risk assessment quantifies how dangerous each gap is. They're complementary but different processes. Gap analysis says "we don't have endpoint protection." Risk assessment says "that gap represents $500,000 in annual risk."

Alvin Varughese
Written byAlvin Varughese
Founderā€¢15 professional certifications