GAP ANALYSIS, EXPLAINED

A cybersecurity gap analysis,
explained from the ground up.

A gap analysis compares what your security program does today against a recognized framework and shows where the distance is. This page covers what that means, how it is traditionally done, what it usually costs, and where a guided first pass fits in.

30 questions·10–15 minutes·NIST CSF 2.0·free
WHAT IT IS

What a cybersecurity gap analysis measures

A cybersecurity gap analysis is a structured comparison between your current security posture and the controls a chosen framework expects you to have. Each gap is the difference between where a control stands today and where the framework says it should be, and the result is an ordered list of what to close first.

THE GAP

Your posture today
Framework target

The gap is the distance between the two, ranked by what to close first.

THE METHOD

How the analysis works, step by step

The method is a repeatable workflow, not a one-off report.

01

Framework selection

Choose the standard you measure against. NIST CSF 2.0 sets the structure here.

02

Guided assessment

Answer focused questions about your controls, with guidance on what each one asks for.

03

Scoring

Your answers map to framework categories and produce a maturity score per area.

04

Gap identification

Each area is compared to the expected control level, surfacing where you fall short.

05

Remediation roadmap

Gaps become prioritized actions, ordered by severity and tagged to the relevant CSF categories.

06

Expert review

A practitioner checks the findings and helps plan the work where the stakes justify it.

TRADITIONAL APPROACH

How a gap analysis is traditionally run

Run the classic way, it is a consulting engagement across four phases over roughly four to eight weeks. The work is largely manual, which is what drives both the timeline and the price.

01

Understand your obligations

1–2 weeks

Map the regulations and frameworks that apply to you.

02

Assess current state

2–4 weeks

Inventory assets, policies, and systems as they exist today.

03

Map requirements to measures

1–2 weeks

Compare each requirement against what is actually in place.

04

Document and categorize gaps

1 week

Record each gap and rank it by severity and business impact.

WHAT IT COSTS

What the traditional approach costs

A manual gap analysis is expensive in two currencies, money and time. These are typical ranges for a consulting engagement, not fixed prices.

Typical engagement

$15K–$40K

for a mid-size organization, before internal hours.

$40K–$100K+
Enterprise scope
40–80 hrs
Internal time
4–8 wks
End to end
THE TRADEOFFS

The tradeoffs of the manual method

It produces a thorough report, but the cost shows up in three dimensions. Because it captures a single point in time, the picture also begins aging once the engagement ends.

High costs

Mid-size org
$15K–$40K
Large enterprise
$40K–$100K+
Internal time
40–80 hrs

Plus the staff hours pulled off other work.

Long timelines

Scheduling
1–2 wks
Manual assessment
2–4 wks
Roadmap prep
1 wk

Roughly one to two months end to end.

Quality issues

Consultant variability
inconsistent
Manual errors
possible
Scope
budget-bound

A single point-in-time snapshot.

TWO APPROACHES

Traditional consulting vs a guided first pass

A common pattern: run the guided pass first for a consistent baseline, then bring in experts for the areas that warrant it.

Traditional consulting

Timeframe
4–8 weeks
Cost
$15,000–$40,000
Method
Manual, varies by consultant
Outcome
Static, point-in-time
· Same question bank and scoring each run, so reruns are comparable.· Can be repeated quarterly to track movement between deeper reviews.
WHAT YOU GET

What the guided pass produces

A guided first pass turns your answers into a concrete deliverable: a maturity score, coverage by NIST function, and a prioritized list of what to fix, each item tagged to a CSF category with the evidence you would be expected to show. The numbers below are a sample output, shown to illustrate the format. They are not your results.

Sample output · illustrative. Not your results.

Maturity score

62/100
Managed

sample figure

Coverage by NIST function

GV · Govern68
ID · Identify84
PR · Protect64
DE · Detect36
RS · Respond55
RC · Recover60

Prioritized remediation

PR.AAEnforce MFA on admin accounts

Evidence · IdP configuration export

P1
DE.CMCentralize log monitoring

Evidence · SIEM ingestion config

P2
GV.RRAssign security roles and responsibilities

Evidence · RACI matrix

P3
Next review · Q4 2026Strongest · IDENTIFYWeakest · DETECT
FRAMEWORK COVERAGE

Frameworks you can measure against

The guided assessment is built on NIST CSF 2.0 and its six functions: Govern, Identify, Protect, Detect, Respond, and Recover. Others are being added over time.

NIST CSF 2.0 · Available nowISO 27001 · On the roadmapCIS Controls · On the roadmapSOC 2 · On the roadmapPCI DSS · On the roadmapHIPAA · On the roadmapGDPR · On the roadmap
BY SECTOR

How different sectors map to frameworks

The same method applies across regulated industries. Each maps its obligations to one or more cybersecurity frameworks.

Healthcare
HIPAAHITECH
Financial services
PCI DSSSOX
Government
FISMANIST
Manufacturing
ISO 27001NIST
Technology
SOC 2ISO 27001
Education
FERPANIST
COMMON QUESTIONS

Questions people ask

How long does the free assessment take?

About 10–15 minutes for a first pass. It covers the foundations of your posture and returns a maturity score mapped to NIST CSF categories.

Which framework does it use?

It is aligned to NIST CSF 2.0. ISO 27001, CIS Controls, SOC 2, PCI DSS, HIPAA, and GDPR are on the roadmap.

Does this replace a formal audit?

No. A gap analysis identifies and prioritizes gaps. A formal certification audit still requires a qualified auditor.

Are my answers stored?

Yes, in your encrypted account, so you can revisit them and track progress over time. You can delete your account at any time.

What do the paid tiers add?

A deeper assessment, per-control breakdowns, remediation planning, evidence guidance, scheduled reruns, and a framework-aligned action plan with status tracking.

Run your first pass

Begin with a free, NIST-aligned assessment. You will end with a maturity score and a prioritized starting point. No credit card required.