Domain 1 · 1.2 Fundamental Security Concepts
1.2.4 Gap Analysis
10 min
Gap Analysis → systematic process to identify the difference between the current security state and the desired state.
> Formula: *Desired State − Current State = Gap*
What it identifies
- Missing controls
- Misconfigurations
- Incomplete policies
- Ineffective procedures
- Missing technologies
The process
- Define the desired state (objective or standard)
- e.g. MFA for all users, EDR on all endpoints, ISO 27001 or NIST CSF compliance
- Document the current state (audits, interviews, scans, config reviews)
- Compare → produce a list of gaps
- Evaluate impact → prioritize by risk
- Build a remediation plan
Example
- Policy → 100% laptops with full disk encryption
- Reality → only 70% encrypted
- Gap → the remaining 30%
Scope is broader than tech
Also covers policies, training, documentation, change management, DR, backups, identity, regulatory compliance.
Don't confuse with
- Risk Assessment → measures probability × impact
- Vulnerability Assessment → finds technical weaknesses
- Penetration Testing → simulates real attacks
- Gap Analysis → finds what's *missing* vs the target
Exam trigger phrases
- *"compare current posture with desired state"*
- *"identify missing controls"*
- *"find deficiencies"*
- *"what's needed to meet compliance"*
→ Answer is almost always Gap Analysis.