What is a Gap Assessment? Mapping Security Posture to Industry Standards

A gap assessment compares an organization’s current cybersecurity practices against established industry standards and frameworks. It identifies discrepancies between your current security posture and required standards based on regulatory requirements, insurance mandates, industry best practices, and business objectives.

Who Needs a Gap Assessment?

Gap assessments serve organizations across industries, including:

• Healthcare providers and business associates needing HIPAA compliance validation
• Financial institutions facing NY DFS 500, GLBA, or SOC 2 requirements
• Higher education institutions protecting student data and research assets
• Defense contractors pursuing CMMC certification
• Manufacturers addressing supply chain security requirements
• Law firms protecting client confidentiality and privileged information
• Businesses with cyber insurance needing to demonstrate security maturity
• Organizations with third-party security requirements from customers or partners

Applicable Frameworks

CIS Controls

The Center for Internet Security’s prioritized set of cybersecurity actions, organized into Implementation Groups based on organizational resources and risk profile. Highly practical and actionable. See our detailed guide on CIS gap assessments.

NIST Cybersecurity Framework

A flexible framework organized around six core functions: Identify, Protect, Detect, Respond, Recover, and Govern. Widely adopted across industries and recognized by regulators. Learn more about our NIST CSF gap assessment approach.

NIST 800-53

A comprehensive catalog of security and privacy controls used by federal agencies and increasingly adopted by private sector organizations seeking rigorous control frameworks.

ISO 27001

An international standard for information security management systems, providing a systematic approach to managing sensitive information through risk management processes. Explore our ISO 27001 gap assessment services.

Regulatory Frameworks

Industry-specific requirements including HIPAA for healthcare, NY DFS 500 for financial services, NIST 800-171 and CMMC for defense contractors, SEC rules for public companies, and GDPR for organizations handling EU data.

Assessment Methodology

1. Contextual Understanding

We begin by understanding your business operations, regulatory environment, and risk tolerance. Security controls must align with business objectives, not just check compliance boxes.

2. Documentation Review

Comprehensive review of existing policies, procedures, standards, and guidelines. We evaluate not just whether documentation exists, but whether it’s current, comprehensive, and actually followed.

3. Stakeholder Interviews

Conversations across departments—IT, security, legal, HR, operations, and business units—to understand how controls are implemented in practice and where gaps exist between policy and reality.

4. Technical Validation

Where appropriate, technical validation confirms that controls work as intended. This might include configuration reviews, log analysis, or limited technical testing.

5. Gap Analysis

Detailed comparison of current state against target framework requirements, with clear identification of gaps, their severity, and their business impact.

6. Roadmap Development

Actionable recommendations prioritized by risk, effort, and business impact. The roadmap provides a practical path to improved security posture, not just a list of deficiencies.

Gap Assessment vs. Vulnerability Assessment

These terms are often confused, but they serve different purposes:

Vulnerability assessments focus on technical flaws—unpatched systems, misconfigured services, and exploitable weaknesses in your technology environment.

Gap assessments evaluate your entire security program—governance, policies, procedures, technical controls, and human factors—against a comprehensive framework.

A vulnerability assessment might tell you that a server is missing patches. A gap assessment reveals that you lack a patch management program, explains why patches aren’t being applied consistently, and provides a path to sustainable improvement.

What You’ll Receive

Current State Assessment

Detailed documentation of your existing security posture across all framework domains, including evidence of what’s working well.

Gap Analysis

Clear identification of gaps between current state and target framework, with severity ratings and business context.

Risk Prioritization

Gaps prioritized by potential business impact, likelihood of exploitation, and regulatory significance.

Remediation Roadmap

Practical recommendations organized into phases, with effort estimates and dependencies clearly identified.

Executive Summary

Board-ready summary of findings and recommendations, translating technical gaps into business risk terms.

Getting Started

A gap assessment provides the foundation for strategic security improvement. Rather than reacting to incidents or audit findings, you gain a clear picture of where you stand and where you need to go.

Ready to understand your security posture? Contact Breach Craft to discuss a gap assessment tailored to your organization and compliance requirements.