What Is a Compliance Gap Assessment?
A compliance gap assessment is a structured evaluation of your organization's current security controls, policies, and processes against the requirements of a specific compliance framework — SOC 2, ISO 27001, HIPAA, CMMC, GDPR, or others.
The output is a gap list: every area where your current state falls short of what the framework requires. Each gap comes with a severity, an owner, and ideally a remediation path. Together, the gaps form your compliance roadmap — the exact work required to get from where you are today to audit-ready.
The simplest definition: A gap assessment answers the question "how far are we from being compliant?" It's the GPS that tells you where you are before you start navigating. Without it, you're guessing at timelines, costs, and how much remediation work you face.
Why It Has to Come First
Most compliance mistakes happen before the audit even starts. Here's why a gap assessment is the non-negotiable first step of any compliance program:
It prevents expensive mid-audit surprises
Auditors charge by the hour. When they discover significant gaps during a paid engagement — missing access reviews, no incident response plan, incomplete logging — they bill you for the time to identify and document those findings. That same discovery costs nothing if you find it yourself two months earlier. Organizations that skip the gap assessment and go straight to an auditor consistently overspend on the audit phase.
It tells you how much remediation work you actually face
Compliance costs vary enormously based on your starting point. A company with strong existing security controls might spend $10,000 on remediation before their SOC 2 audit. A company starting from scratch might spend $80,000. You can't budget, plan, or set a timeline without knowing which situation you're in. A gap assessment gives you that number before you commit to anything.
It lets you scope intelligently
Most frameworks let you choose your scope. SOC 2 lets you choose which Trust Services Criteria to include. ISO 27001 lets you define which systems and business units are in scope. CMMC lets you define your CUI boundary. The gap assessment shows you which scope decisions are available to you and what the cost and timeline implications of each are. Scoping without a gap assessment means guessing at those tradeoffs.
It shows you where multiple frameworks overlap
If you're eventually pursuing SOC 2 and ISO 27001, HIPAA and SOC 2, or CMMC and NIST AI RMF — a gap assessment across all target frameworks shows you which controls satisfy more than one requirement. This shared evidence base is how companies do dual certification at 30–40% of the cost of sequential programs. You can't identify the overlap without first knowing what each framework requires of you.
The expensive mistake: The most common and costly error in compliance programs is engaging an auditor before running a gap assessment. The auditor becomes a very expensive consultant who discovers your gaps — at $200–$400/hour. Those same gaps could have been identified in a free tool in 30 minutes.
What a Gap Assessment Covers
A compliance gap assessment evaluates your organization across the control domains of your target framework. For most security and privacy frameworks, that means:
- Access controls — who has access to what, how it's managed, how it's reviewed
- Encryption — data at rest and in transit, key management
- Incident response — documented plan, testing, communication procedures
- Vulnerability management — scanning cadence, patch management, remediation tracking
- Vendor and third-party risk — inventory, contracts, due diligence process
- Security awareness training — program existence, frequency, documentation
- Change management — approval workflows, testing, rollback procedures
- Audit logging and monitoring — log retention, alerting, review procedures
- Business continuity and disaster recovery — plans, testing, recovery objectives
- Policies and procedures — existence, currency, communication to staff
Beyond these common controls, each framework adds requirements specific to its focus area — AI governance for NIST AI RMF, PHI-specific safeguards for HIPAA, CUI handling for CMMC, and so on.
Gap Assessments by Framework
The specific controls evaluated in a gap assessment depend entirely on the target framework. Here's what each major framework assessment covers:
SOC 2 Gap Assessment
Evaluates your controls against the AICPA Trust Services Criteria — Security (mandatory) plus any optional criteria: Availability, Confidentiality, Processing Integrity, Privacy. Produces a readiness score and prioritized gap list before you engage a CPA firm.
ISO 27001 Gap Assessment
Assesses your current state against all 10 mandatory clauses (4–10) and the 93 Annex A controls in the 2022 edition. Identifies which controls are missing or partial and informs your Statement of Applicability before the certification body gets involved.
HIPAA Gap Assessment
Covers all three rules — Security Rule administrative, physical, and technical safeguards; Privacy Rule; and Breach Notification Rule. Often called a HIPAA Risk Analysis. Required as the foundation of the Security Rule and the most common finding in OCR audits when it's absent.
CMMC Gap Assessment
Evaluates your implementation of the 110 NIST SP 800-171 controls required for Level 2. Produces an SPRS score — the number DoD contracting officers see. Essential before engaging a C3PAO, as remediation costs scale directly with your starting score.
NIST AI RMF / ISO 42001
Assesses your AI governance program against the four functions of the NIST AI RMF (GOVERN, MAP, MEASURE, MANAGE) and/or ISO 42001's AIMS requirements. Identifies gaps in AI risk management, bias controls, transparency, and human oversight before pursuing certification.
GDPR / CCPA Gap Assessment
Evaluates data processing activities, consent mechanisms, privacy notices, data subject rights processes, cross-border transfer mechanisms, and breach notification procedures against GDPR or CCPA requirements.
How to Run a Compliance Gap Assessment
A gap assessment follows the same basic structure regardless of the target framework:
-
Choose your framework Identify which compliance framework you're targeting based on customer requirements, regulatory obligations, or strategic goals. If multiple frameworks apply, assess all of them simultaneously — the overlap analysis is one of the most valuable outputs.
-
Define your scope Determine which systems, people, processes, and locations are in scope. Scope directly determines what costs money to remediate — narrower, well-defined scope means a faster, cheaper path to compliance.
-
Evaluate current controls For each control in the framework, assess whether it is fully implemented, partially implemented, or missing. Be honest — auditors will test this. Documenting a control as implemented when it isn't is worse than documenting it as a gap.
-
Document and prioritize gaps Record every gap with a severity rating — critical (would cause audit failure), major (significant finding), or minor (observation). Prioritize by severity and by how much the control reduces risk if implemented.
-
Build your remediation roadmap Translate the gap list into an action plan: what needs to be built, who owns it, in what order, and by when. This roadmap becomes your implementation guide and the basis for your timeline and budget estimates.
The fastest path: Our free gap assessment tool walks you through this entire process in about 30 minutes. Answer questions about your current controls and get an AI-powered readiness score, gap analysis, and PDF report — across SOC 2, ISO 27001, HIPAA, CMMC, and more simultaneously.
Gap Assessment vs. Risk Assessment
These terms are often confused. They're related but serve different purposes:
| Dimension | Gap Assessment | Risk Assessment |
|---|---|---|
| Purpose | Measures adherence — are your controls in place? | Evaluates exposure — what threats face you and how severe? |
| Focus | Controls vs. framework requirements | Threats, vulnerabilities, likelihood, and impact |
| Output | List of missing/incomplete controls with remediation tasks | Risk ratings, prioritized mitigations, risk acceptance decisions |
| Driven by | Framework requirements (checklist-driven) | Threat landscape and business context (scenario-driven) |
| Required by frameworks | Recommended; some frameworks require it (HIPAA) | Required by ISO 27001, HIPAA, CMMC, and most frameworks |
| Sequence | Typically first — establishes your baseline | Follows gap assessment — informs risk treatment decisions |
In practice, a gap assessment and a risk assessment are complementary. The gap assessment tells you which controls are missing; the risk assessment tells you which missing controls matter most given your specific threat environment. Most compliance programs benefit from both.
Gap Assessment vs. an Audit
A gap assessment is not an audit, and the distinction matters:
- A gap assessment is internal and self-directed. You evaluate your own controls against a framework. It's a planning tool. No official credential or report results from it.
- An audit is conducted by an independent third party. For SOC 2, a licensed CPA firm. For ISO 27001, an accredited certification body. The audit produces an official report or certificate that you share with customers and regulators.
- Gap assessments prepare you for audits. The purpose of running a gap assessment is to find and fix problems before the auditor does. Auditors who find problems charge you to document them. You charge yourself nothing.
The sequence that saves money: Gap assessment → remediation → audit. Skipping straight to the audit without a gap assessment is the single most reliable way to overspend on compliance.
Cost and Time
Gap assessments range from free to expensive depending on method:
| Method | Time | Cost | Best for |
|---|---|---|---|
| Free automated tool | 15–60 minutes | $0 | Initial baseline, startups, early-stage programs |
| Self-assessment with template | 2–5 days | $0–$500 | Companies with internal security expertise |
| Consultant-led assessment | 2–6 weeks | $5,000–$25,000 | Complex environments, enterprise scope, multiple frameworks |
| Auditor-led readiness assessment | 2–4 weeks | $10,000–$30,000 | Pre-audit readiness verification with the actual audit firm |
The cost of not running a gap assessment is almost always higher than the assessment itself. Mid-audit gap discoveries routinely add $10,000–$50,000 to audit costs. The ROI on a free assessment is essentially infinite.
Run Your Free Gap Assessment Now
Answer 30 questions about your current security controls. Get an AI-powered readiness score across SOC 2, ISO 27001, HIPAA, CMMC, and more — plus a prioritized gap list and downloadable PDF report. Takes about 30 minutes.
Start Free Assessment →Frequently Asked Questions
What is the difference between a gap assessment and a gap analysis?
The terms are used interchangeably in practice. Both describe the same process: comparing your current state against a target framework and identifying the differences. Some organizations distinguish "gap analysis" as the broader analytical process and "gap assessment" as the specific evaluation activity, but there is no meaningful technical distinction between the two terms. For a full breakdown, see our guide: Gap Assessment vs Gap Analysis: Is There Actually a Difference?
Do I need a gap assessment before SOC 2?
Yes — it's the most important step before engaging a SOC 2 auditor. Without it, you're guessing at your remediation timeline and cost. Auditors who discover significant gaps mid-engagement charge you for the extra time. See our full SOC 2 compliance guide for the complete process.
Can a gap assessment cover multiple frameworks at once?
Yes, and this is one of the most valuable things about running a multi-framework gap assessment. Many controls satisfy requirements across SOC 2, ISO 27001, and HIPAA simultaneously. Seeing the overlap before you start compliance work lets you build a shared evidence base that satisfies multiple frameworks rather than running separate programs sequentially. Our free tool assesses multiple frameworks in a single pass.
How is a gap assessment different from a penetration test?
A gap assessment evaluates whether your security controls and policies exist and are implemented correctly — it's a documentation and process review. A penetration test actively probes your systems to find exploitable vulnerabilities — it's a technical attack simulation. Both are useful, and most frameworks eventually require some form of penetration testing, but a gap assessment comes first in the compliance sequence.
Who should run a compliance gap assessment?
Anyone starting a compliance program, pursuing a new framework, preparing for an audit, or doing periodic compliance health checks. Specifically: founders and CTOs preparing for their first enterprise sales process, security leads building or expanding a compliance program, compliance teams preparing for ISO 27001 or SOC 2 audits, and organizations that have received a security questionnaire they can't fully answer.
How often should you run a gap assessment?
At minimum: before every audit cycle and whenever you make significant changes to your systems, scope, or the regulatory landscape. Best practice: quarterly for high-growth companies or those in heavily regulated industries. Many compliance platforms offer continuous monitoring that functions as an ongoing gap assessment — flagging deviations from your control baseline in real time.