A gap analysis is a necessary component of risk management that is, at times, unclear to those in risk, security, and compliance positions. This leaves the question of, “What is a gap analysis?” Simply put, a gap analysis is a process of examining or assessing your current business practices and determining what changes you need to make to improve shortcomings or become compliant. The term “gap” refers to the distance between where your organization is currently, and where you need to be. Your analysis considers risks, staffing, and available resources, as well as timeframes, to complete the determined improvements.
Performing a Gap Analysis
When performing a gap analysis, you’ll face three main questions along the way:
1. What are you doing right now and how are you performing?
2. Where do you want to be at and what is your end goal?
3. What steps do you take to close the gap?
The first step in conducting a gap analysis is to establish specific target objectives by looking at your organization’s mission statement, strategic goals, and improvement objectives. You’ll select your assessment criteria or framework, which can also be custom content. This will set your performance standard to see how you compare in areas such as physical security, access control, surveillance, etc. Then you will begin observation on people and processes to gather data on policies and controls, and seeing if set processes are correctly followed. Your data will help prioritize remediation based on impact. Then determine what resources are available and map out your needs and any improvements to be made.
Here is a template for gap analysis provided by the Agency for Healthcare Research and Quality. While we don’t recommend solely using this tool, it provides good insight and gets you thinking about your gaps and barriers to implementing changes.
Before you begin a gap analysis, you’ll need to consider your goal behind performing one. This typically boils down to one of three reasons: it’s a compliance requirement, you want to be protected, or you want to improve business processes.
Compliance Gap Analysis
This intention is all about meeting requirements. Your gap analysis will reveal what is required by certain regulations to what is currently being done to abide by them. Regulations require you to address risks that often affect the people that a specific industry serves. There is no room for error here as these are often high threat risks and you’ll face severe penalties for non-compliance. Your analysis will reveal if your current practices or controls are sufficient to meet compliance or if you need to prioritize improvements.
Best Practices Gap Analysis
A gap analysis against industry standards or best practices is focused on being protected. This intention is to shed light on any vulnerabilities and see what risks your organization has that you can potentially mitigate or manage. These standards, such as ISO or NIST, are often developed after years of careful observations and evaluations, which provided insight as to which controls are most effective and where security shortcomings typically arise.
Process Improvement Gap Analysis
This intention is purely to increase business processes and performance. The first step is to establish target objectives and take note of what you want to improve. This can adapt as your assessment process continues and more data is gathered. Typically, by looking at your organization’s mission statement, strategic goals, and improvement objectives you have a good starting point. Then you’ll analyze current business processes and determine how resources are allocated to these processes. You’ll see why there are gaps and what you can change to close them.
RiskWatch for Gap Analysis
RiskWatch software is an effective solution for assessments and gap analysis. It can assign weights to questions based on how much impact non-compliance could have on the organization, allowing you to better allocate resources and prioritize remediation. We provide content libraries for various standards and regulations that will automatically produce a gap analysis upon completion in our platform. Gaps can automatically be turned into corrective actions using our built-in remediation module for task tracking. Ongoing monitoring and reporting are supported by our real-time dashboard, complete with trending analysis and reporting modules.
Remember that a security gap analysis can’t guarantee 100% security, but they’re extremely efficient in ensuring that compliance is met and controls are robust, effective, and cost-efficient. Sign up for free access to our software and see the benefits first-hand.