Know exactly where you stand before an auditor tells you
We assess your current controls against the compliance framework(s) you need to meet, and deliver a prioritized, actionable roadmap to close every gap.
A clear picture of "where you are" vs. "where you need to be"
A compliance gap analysis compares your existing policies, technical controls, and evidence against the specific requirements of a framework or regulation. The output isn't a generic checklist — it's a control-by-control breakdown of what's already in place, what's partially in place, and what's missing entirely.
Whether you're preparing for a first-time audit, responding to a customer security questionnaire, or maintaining an existing certification, the gap analysis gives you a defensible starting point and a realistic timeline to close remaining gaps.
You'll walk away with:
- A control-by-control gap report mapped to your target framework
- Risk-rated findings, prioritized by severity and effort
- A remediation roadmap with owners and timelines
- Audit-ready documentation templates and evidence guidance
- Optional hands-on support implementing fixes
Assessed against the standards that matter to your industry
| Framework | Typically required for | What we assess |
|---|---|---|
| SOC 2 (Type I / II) | SaaS & technology vendors | Security, availability, confidentiality trust service criteria |
| ISO 27001 | Enterprises & international operations | ISMS scope, Annex A controls, risk treatment |
| HIPAA | Healthcare & healthtech | Administrative, physical, and technical safeguards for ePHI |
| PCI DSS | Businesses handling card payments | Cardholder data environment controls, network segmentation |
| NIST CSF / 800-53 | Government contractors & critical infrastructure | Identify, protect, detect, respond, recover functions |
| GDPR | Businesses handling EU personal data | Data protection principles, processing records, breach readiness |
| CMMC | Defense Industrial Base (DoD) contractors | Maturity level requirements and NIST 800-171 controls |
Working toward a framework not listed here? Get in touch — we scope custom assessments too.
From kickoff to remediation roadmap in five steps
Scoping & framework selection
We confirm which framework(s) apply, the systems in scope, and any deadlines driving the engagement.
Evidence collection & interviews
We review existing policies, configurations, and documentation, and interview key stakeholders.
Control-by-control assessment
Every applicable control is rated: met, partially met, or not met, with supporting evidence noted.
Gap report & risk rating
Findings are consolidated into a report that prioritizes gaps by risk, effort, and audit impact.
Remediation roadmap
You receive a phased plan with owners and target dates — and can engage us to help implement it.