Audit and testing
Gap analysis
What is a gap analysis in IT security?
A gap analysis compares the current state of IT security against a defined target state and records every gap between the two. The target comes from a requirement catalogue such as the GDPR, ISO/IEC 27001 or a client's security questionnaire. The result is a prioritised list of open points.
A gap analysis almost always has a trigger. A client sends a security questionnaire, an insurer asks about your security level before writing a policy, certification against ISO/IEC 27001 is on the agenda, the international standard for information security management systems, or it is unclear whether your business falls under the NIS2 directive, the EU cybersecurity rules that apply to certain sectors and company sizes. The question is the same in every case: what does the catalogue require, and where does the business stand today?
The first step is agreeing the benchmark. A gap can only be named once it is clear what the measurement is against. Evidence is then gathered: documents, system configurations, spot checks in day to day operation and conversations with the people who know the processes. Each requirement ends up with a status, typically met, partly met or open, each with a reason and supporting evidence.
For a business without an IT department the benchmark may stay lean. A workable catalogue consists of the technical and organisational measures required by Article 32 of the GDPR, the security questions asked by your main clients, and the points a cyber insurer asks for on its application form. Those three sources cover what counts first in daily operation: access, backups, updates, staff training and emergency preparation.
The value of the analysis appears in the follow-up. Every gap needs a measure, a deadline and a named person responsible. Without those three details the list remains a mere description of the situation. A gap analysis therefore flows into an action plan that orders the open points by risk and effort and gives you a basis for budget and sequence.
The stocktake on site supplies the data for that comparison. The IT Check records the current state across 8 audit areas with more than 100 individual checks, takes 1 to 5 hours on site depending on the size of the business and delivers the findings within 14 working days. A non-disclosure agreement is signed before work begins. An initial 20 minute conversation is at no charge and clarifies which benchmark suits your business.
Gap analysis against standards and requirements Record the current state with the IT Check
All terms in the knowledge base
Note: This entry reflects the state of knowledge to the best of our understanding and serves as general orientation. It is not legal advice. What counts is always the version currently in force at the responsible body, for example dsb.gv.at, nis.gv.at or enisa.europa.eu.
From the term to practice
Where does your business actually stand?
The IT Check reviews your IT across 8 audit areas with more than 100 individual checks and delivers documented findings with a prioritised action plan. From 1,299 € excl. VAT. The first call takes 20 minutes and carries no charge.