Skip to main content
Definitions Series
6 min read

What is a Gap Assessment? Mapping Security Posture to Industry Standards

Learn how gap assessments compare your current security practices against established frameworks like NIST, CIS, and ISO 27001 to identify improvement opportunities.

What is a Gap Assessment? Mapping Security Posture to Industry Standards

A gap assessment compares an organization’s current cybersecurity practices against established industry standards and frameworks. It identifies discrepancies between your current security posture and required standards based on regulatory requirements, insurance mandates, industry best practices, and business objectives.

Most organizations come to a gap assessment for one of two reasons. An auditor, insurer, or customer is asking for proof, or leadership wants to know how exposed the business actually is before something forces the question. Both are good reasons, and the output is the same either way: a clear map of where you stand against a chosen standard, and an ordered plan to close the distance.

Who Needs a Gap Assessment?

Gap assessments serve organizations across industries, including:

  • Healthcare providers and business associates needing HIPAA compliance validation
  • Financial institutions facing NY DFS 500, GLBA, or SOC 2 requirements
  • Higher education institutions protecting student data and research assets
  • Defense contractors pursuing CMMC certification
  • Manufacturers addressing supply chain security requirements
  • Law firms protecting client confidentiality and privileged information
  • Businesses with cyber insurance needing to demonstrate security maturity
  • Organizations with third-party security requirements from customers or partners

Applicable Frameworks

CIS Controls

The Center for Internet Security’s prioritized set of cybersecurity actions, organized into Implementation Groups based on organizational resources and risk profile. Highly practical and actionable. See our detailed guide on CIS gap assessments.

NIST Cybersecurity Framework

A flexible framework organized around six core functions: Identify, Protect, Detect, Respond, Recover, and Govern. Widely adopted across industries and recognized by regulators. Learn more about our NIST CSF gap assessment approach.

NIST 800-53

A detailed catalog of security and privacy controls used by federal agencies and increasingly adopted by private sector organizations seeking rigorous control frameworks.

ISO 27001

An international standard for information security management systems, providing a systematic approach to managing sensitive information through risk management processes. Explore our ISO 27001 gap assessment services.

Regulatory Frameworks

Industry-specific requirements including HIPAA for healthcare, NY DFS 500 for financial services, NIST 800-171 and CMMC for defense contractors, SEC rules for public companies, and GDPR for organizations handling EU data.

Assessment Methodology

1. Contextual Understanding

We begin by understanding your business operations, regulatory environment, and risk tolerance. Security controls must align with business objectives, not just check compliance boxes.

2. Documentation Review

Full review of existing policies, procedures, standards, and guidelines. We evaluate whether documentation exists, whether it’s current, complete, and whether anyone actually follows it.

3. Stakeholder Interviews

Conversations across departments (IT, security, legal, HR, operations, and business units) to understand how controls are implemented in practice and where gaps exist between policy and reality.

4. Technical Validation

Where appropriate, technical validation confirms that controls work as intended. This might include configuration reviews, log analysis, or limited technical testing.

5. Gap Analysis

Detailed comparison of current state against target framework requirements, with clear identification of gaps, their severity, and their business impact.

6. Roadmap Development

Actionable recommendations prioritized by risk, effort, and business impact. The roadmap provides a practical path to improved security posture, not just a list of deficiencies.

Gap Assessment vs. Vulnerability Assessment

These terms are often confused, but they serve different purposes:

Vulnerability assessments focus on technical flaws: unpatched systems, misconfigured services, and exploitable weaknesses in your technology environment.

Gap assessments evaluate your entire security program (governance, policies, procedures, technical controls, and human factors) against a complete framework.

A vulnerability assessment might tell you that a server is missing patches. A gap assessment reveals that you lack a patch management program, explains why patches aren’t being applied consistently, and provides a path to sustainable improvement.

What Gap Assessments Usually Reveal

After enough assessments, the same gaps surface regardless of industry or framework. Policies exist but nobody follows them, or they were written years ago and no longer match how the company runs. No one can produce a current asset inventory, so “protect everything” has no list to work from. Ownership is fuzzy: everyone assumes someone else handles patching, logging, or vendor review. Logging is turned on but nobody reads it. Backups exist but have never been restored.

We wrote up the recurring patterns in the five gaps we find in almost every security program. None of them are exotic. They are the unglamorous, structural things a framework forces into the open and a checklist never will.

What You’ll Receive

The output is a plan you can act on, not a binder that sits on a shelf. A gap assessment delivers:

  • Current state assessment: where you actually stand across every domain of the framework, including the controls you already have right.
  • Gap analysis: each gap between today and the target, with a severity rating and the business context that explains why it matters.
  • Risk prioritization: gaps ranked by business impact, likelihood, and regulatory weight, so you know what to fix first.
  • Remediation roadmap: phased recommendations with effort estimates and dependencies, sequenced for momentum, not dumped as a backlog.
  • Executive summary: the same findings in business-risk terms a board can act on without a translator.

How Often Should You Run One?

A gap assessment is a baseline, not a one-time event. Run the first when you adopt a framework, face a new compliance requirement, or want a defensible picture of your posture. After that, reassess annually, or whenever something material changes: a merger, a new product line, a move into a new regulatory regime, or an incident that exposed an assumption. Between assessments, the roadmap is the working document.

From Assessment to Program

The assessment is the easy part. Closing the gaps is the work, and it is where most programs stall, because the roadmap competes with everything else IT already has to do. The organizations that actually improve treat the roadmap as a managed program: an owner, a cadence, and someone accountable for the next milestone. If that person does not exist internally, a virtual CISO can own the roadmap and drive it between assessments. The gap assessment tells you where to go. The program is how you get there.

Getting Started

A gap assessment provides the foundation for strategic security improvement. Rather than reacting to incidents or audit findings, you gain a clear picture of where you stand and where you need to go.

Ready to understand your security posture? Contact Breach Craft to discuss a gap assessment tailored to your organization and compliance requirements.

Frequently Asked Questions

What is a cybersecurity gap assessment?

A gap assessment compares your organization's current cybersecurity practices against established industry standards and frameworks like NIST CSF, CIS Controls, or ISO 27001. It identifies discrepancies between your current security posture and required standards based on regulatory requirements, insurance mandates, and business objectives.

Who needs a gap assessment?

Gap assessments serve organizations across industries, including healthcare providers needing HIPAA validation, financial institutions facing regulatory requirements, defense contractors pursuing CMMC certification, businesses with cyber insurance mandates, and any organization wanting to measure security maturity against established frameworks.

What is the difference between a gap assessment and a vulnerability assessment?

Vulnerability assessments focus on technical flaws like unpatched systems and misconfigurations. Gap assessments evaluate your entire security program (governance, policies, procedures, technical controls, and human factors) against an established framework. A vulnerability assessment finds a missing patch; a gap assessment reveals the lack of a patch management program.

What frameworks are used in gap assessments?

Common frameworks include CIS Controls (prioritized cybersecurity actions organized by Implementation Groups), NIST Cybersecurity Framework (six core functions: Identify, Protect, Detect, Respond, Recover, Govern), NIST 800-53 (a detailed security controls catalog), and ISO 27001 (international information security management standard).

What deliverables come from a gap assessment?

You receive a current state assessment documenting your security posture, a gap analysis identifying discrepancies with severity ratings, risk prioritization based on business impact, a phased remediation roadmap with effort estimates, and a board-ready executive summary translating technical gaps into business risk terms.

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Or call us directly at (445) 273-2873