Compliance Gap Analysis: Process and Best Practices

A compliance gap analysis is a structured evaluation that measures the distance between an organization's current practices and the requirements imposed by applicable regulations, standards, or internal policies. This page covers the definition and scope of gap analysis within compliance programs, the step-by-step process used to conduct one, the regulatory contexts in which gap analyses appear most frequently, and the decision points that determine scope, depth, and follow-up action. Organizations that operate under frameworks such as HIPAA, ISO 27001, or OSHA standards use gap analysis as a foundational tool for identifying exposure before regulators do.

Definition and scope

A compliance gap analysis identifies, documents, and prioritizes the specific controls, policies, procedures, or practices that an organization lacks or has only partially implemented relative to a defined compliance standard. The "gap" is the measurable difference between a requirement's stated expectation and the organization's demonstrable current state.

Scope varies significantly based on the triggering framework. Under the Health Insurance Portability and Accountability Act (HIPAA), the U.S. Department of Health and Human Services (HHS Office for Civil Rights) expects covered entities to assess administrative, physical, and technical safeguard requirements. Under the National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF), gap analysis maps organizational functions—Identify, Protect, Detect, Respond, Recover—against documented control implementations. For workplace safety programs, the Occupational Safety and Health Administration (OSHA 29 CFR Part 1910) establishes the baseline against which gaps in general industry standards are measured.

Gap analysis differs from a full compliance risk assessment in one critical boundary: risk assessment quantifies likelihood and impact of identified risks, whereas gap analysis focuses on the presence or absence of a required control without necessarily weighting probability. Both are inputs to an effective compliance program, but they answer different questions.

How it works

A well-structured gap analysis follows a repeatable sequence of phases. The numbered breakdown below reflects the process model recognized by frameworks such as ISO 19011 (guidelines for auditing management systems) and the NIST SP 800-53 assessment methodology (NIST SP 800-53A, Rev. 5):

1. Define the compliance baseline. Select the specific regulatory requirements, standards, or internal policies that constitute the target state. This includes pinning specific revision numbers (e.g., NIST SP 800-53 Rev. 5, ISO 27001:2022) so that assessors and stakeholders share a consistent reference point.

2. Inventory current controls and practices. Collect documentation of existing policies, procedures, technical configurations, training records, and audit logs. Evidence gathering at this stage determines the validity of all subsequent conclusions.

3. Map current state to requirements. Each requirement is rated against a defined maturity scale. A common three-point classification uses: Fully Implemented, Partially Implemented, and Not Implemented. NIST SP 800-53A uses a four-tier determination: Satisfied, Other Than Satisfied (with subclasses for partial and not satisfied).

4. Identify and document gaps. Each unmet or partially met requirement becomes a documented gap with a reference to the specific control identifier (e.g., AC-2 Account Management under NIST SP 800-53) and a description of what evidence was absent or insufficient.

5. Prioritize gaps. Gaps are ranked by regulatory obligation severity, enforcement history, and operational impact. Gaps tied to mandatory regulatory requirements take precedence over those tied to voluntary best practices.

6. Report findings. A formal gap analysis report organizes findings by control family or regulatory domain, lists the evidence reviewed, and records the gap determination rationale. This document feeds directly into a compliance corrective action plan.

Common scenarios

Gap analysis appears across industry sectors under different triggering conditions.

Regulatory examination preparation — Financial institutions subject to examination by the Consumer Financial Protection Bureau (CFPB) or the Office of the Comptroller of the Currency (OCC) conduct gap analyses before scheduled supervisory reviews to identify control deficiencies before examiners do. The OCC's Large Bank Supervision Handbook explicitly references self-assessment processes that align with gap methodology.

Framework adoption or migration — When an organization transitions from one version of a standard to a newer revision—such as from ISO 27001:2013 to ISO 27001:2022—a gap analysis identifies the 11 new controls introduced in Annex A of the 2022 revision (ISO/IEC 27001:2022) that were absent from the prior version.

Post-incident remediation — Following a data breach or enforcement action, regulators frequently require a documented gap analysis as part of a corrective action or consent order. The Federal Trade Commission (FTC) has included gap analysis requirements in settlement agreements involving data security failures.

Merger and acquisition due diligence — Acquiring entities use gap analysis to evaluate the compliance posture of a target organization before transaction close, assessing exposure under frameworks applicable to the target's sector.

Decision boundaries

Determining when a gap analysis is sufficient—versus when a more expansive audit or risk assessment is required—depends on three classification criteria.

Scope breadth: A gap analysis scoped to a single control family (e.g., access control) is a targeted gap analysis. One that spans an entire regulatory framework across all business units is a comprehensive gap analysis. Targeted analyses are appropriate for post-patch verification or single-domain remediation confirmation. Comprehensive analyses are appropriate for initial program buildouts or framework certifications.

Evidence depth: A gap analysis that relies on interviews and policy review without technical testing is a documentation-level assessment. One that includes configuration scans, penetration test results, or log analysis crosses into technical assessment territory. Regulators such as HHS OCR distinguish between these in their audit protocols—documentation review and technical evaluation are listed as separate audit phases.

Actionability threshold: A gap analysis concludes when every requirement has received a determination and the findings are formally documented. Remediation planning, resource allocation, and control implementation are functions of the corrective action process, not the gap analysis itself. Conflating the two creates accountability gaps where neither the analysis nor the remediation is completed to a defined standard.

For organizations managing gap analysis as a recurring process, integration with compliance monitoring and auditing functions ensures that closed gaps are verified as sustained rather than treated as permanently resolved after initial remediation.

References

• HHS Office for Civil Rights — HIPAA Compliance and Enforcement
• NIST Cybersecurity Framework (CSF)
• NIST SP 800-53A, Rev. 5 — Assessing Security and Privacy Controls
• NIST SP 800-53, Rev. 5 — Security and Privacy Controls for Information Systems
• OSHA 29 CFR Part 1910 — General Industry Standards
• ISO/IEC 27001:2022 — Information Security Management Systems
• ISO 19011:2018 — Guidelines for Auditing Management Systems
• Consumer Financial Protection Bureau (CFPB)
• Office of the Comptroller of the Currency (OCC) — Large Bank Supervision
• Federal Trade Commission — Data Security Enforcement