# Gap analysis

**What is a gap analysis in IT security?**

A gap analysis compares the current state of IT security against a defined target state and records every gap between the two. The target comes from a requirement catalogue such as the GDPR, ISO/IEC 27001 or a client's security questionnaire. The result is a prioritised list of open points.

A gap analysis almost always has a trigger. A client sends a security questionnaire, an insurer asks about your security level before writing a policy, certification against ISO/IEC 27001 is on the agenda, the international standard for information security management systems, or it is unclear whether your business falls under the NIS2 directive, the EU cybersecurity rules that apply to certain sectors and company sizes. The question is the same in every case: what does the catalogue require, and where does the business stand today?

The first step is agreeing the benchmark. A gap can only be named once it is clear what the measurement is against. Evidence is then gathered: documents, system configurations, spot checks in day to day operation and conversations with the people who know the processes. Each requirement ends up with a status, typically met, partly met or open, each with a reason and supporting evidence.

For a business without an IT department the benchmark may stay lean. A workable catalogue consists of the technical and organisational measures required by Article 32 of the GDPR, the security questions asked by your main clients, and the points a cyber insurer asks for on its application form. Those three sources cover what counts first in daily operation: access, backups, updates, staff training and emergency preparation.

The value of the analysis appears in the follow-up. Every gap needs a measure, a deadline and a named person responsible. Without those three details the list remains a mere description of the situation. A gap analysis therefore flows into an action plan that orders the open points by risk and effort and gives you a basis for budget and sequence.

The stocktake on site supplies the data for that comparison. The IT Check records the current state across 8 audit areas with more than 100 individual checks, takes 1 to 5 hours on site depending on the size of the business and delivers the findings within 14 working days. A non-disclosure agreement is signed before work begins. An initial 20 minute conversation is at no charge and clarifies which benchmark suits your business.

## Related terms
- [IT security audit](https://vetosec.at/en/it-security/it-sicherheitsaudit/)
- [ISO/IEC 27001](https://vetosec.at/en/it-security/iso-27001/)
- [NIS2](https://vetosec.at/en/it-security/nis2/)
- [Findings report and action plan](https://vetosec.at/en/it-security/befund-massnahmenplan/)

## Source
https://vetosec.at/en/it-security/gap-analyse/ (vetosec, pruefung)
