Domain 1 · 1.2 Fundamental Security Concepts

1.2.4 Gap Analysis

10 min

Gap Analysis → systematic process to identify the difference between the current security state and the desired state.

> Formula: *Desired State − Current State = Gap*

What it identifies

  • Missing controls
  • Misconfigurations
  • Incomplete policies
  • Ineffective procedures
  • Missing technologies

The process

  • Define the desired state (objective or standard)
  • e.g. MFA for all users, EDR on all endpoints, ISO 27001 or NIST CSF compliance
  • Document the current state (audits, interviews, scans, config reviews)
  • Compare → produce a list of gaps
  • Evaluate impact → prioritize by risk
  • Build a remediation plan

Example

  • Policy → 100% laptops with full disk encryption
  • Reality → only 70% encrypted
  • Gap → the remaining 30%

Scope is broader than tech

Also covers policies, training, documentation, change management, DR, backups, identity, regulatory compliance.

Don't confuse with

  • Risk Assessment → measures probability × impact
  • Vulnerability Assessment → finds technical weaknesses
  • Penetration Testing → simulates real attacks
  • Gap Analysis → finds what's *missing* vs the target

Exam trigger phrases

  • *"compare current posture with desired state"*
  • *"identify missing controls"*
  • *"find deficiencies"*
  • *"what's needed to meet compliance"*

→ Answer is almost always Gap Analysis.