A gap assessment compares current controls and documentation against the SOC 2 criteria to identify what is missing before the audit begins. It is a planning tool that helps teams prioritise remediation, reduce surprises, and make evidence collection more systematic.
Expanded Definition
A gap assessment is a structured comparison between the security, governance, and evidence an organisation already has and the criteria it must meet for a defined objective. In the SOC 2 context, that objective is usually readiness against the trust services criteria, but the same method is also used for broader cybersecurity programmes, supplier assurance, and identity governance. The assessment does not certify compliance; it identifies where controls are missing, weak, undocumented, or not operating consistently enough to support an audit.
For NHI Management Group, the key value of a gap assessment is that it turns an abstract compliance goal into a practical worklist. Teams can map policies, procedures, logs, approval workflows, access reviews, and exception handling against a target standard, then decide which gaps are documentation issues and which are operational weaknesses. The process is closely aligned to the control-thinking in the NIST Cybersecurity Framework 2.0, even when the final benchmark is not NIST itself.
Definitions vary across vendors on whether a gap assessment includes only technical controls or also governance artifacts and evidence quality. In practice, mature assessments include both, because auditors and assurance reviewers judge whether a control exists, whether it is repeatable, and whether it can be proven. The most common misapplication is treating a gap assessment as a one-time checklist, which occurs when organisations focus on passing an audit rather than correcting the underlying control design and evidence chain.
Examples and Use Cases
Implementing a gap assessment rigorously often introduces time pressure and documentation overhead, requiring organisations to weigh fast audit preparation against the cost of assembling reliable evidence.
- A SOC 2 readiness team maps current access approval procedures, log retention, and incident response records against the criteria, then identifies missing evidence for user provisioning and review.
- A SaaS company uses a gap assessment before a customer security review to determine whether its policies, control owners, and monitoring outputs are sufficient for due diligence questions.
- An identity team performs a gap assessment on joiner, mover, and leaver workflows to find where manual approvals create delays or undocumented exceptions in privileged access.
- A cloud security programme compares existing configurations and alerting against a target framework such as the NIST Cybersecurity Framework 2.0 to prioritise remediation before an external assessment.
- A third-party risk function reviews supplier attestations, contract clauses, and evidence requests to find where assurance claims are unsupported or outdated.
These use cases show that the term is not limited to compliance projects. It is also a planning method for clarifying scope, revealing hidden dependencies, and deciding whether the organisation needs new controls, better evidence, or stronger operating discipline before the review starts.
Why It Matters for Security Teams
Security teams rely on gap assessments because most control failures are not caused by a single missing policy. They emerge when process ownership is unclear, evidence is scattered, or a control exists only in theory. A good assessment reduces the risk of discovering these weaknesses during an audit, a customer review, or a regulatory inquiry, when remediation is already under time pressure.
For identity-heavy environments, gap assessments are especially useful for privileged access, non-human identities, and machine-to-machine credentials, where teams often have policies but lack consistent enforcement or evidence trails. That makes the term relevant to IAM, PAM, and NHI governance even when the original project is framed as compliance. A mature assessment also helps leaders distinguish between risk acceptance and unfinished work, which is critical when remediation competes with delivery deadlines.
Used well, the method creates a defensible path from current state to target state. Used poorly, it becomes a paper exercise that reassures stakeholders without changing actual control maturity. Organisations typically encounter the consequences only after an audit request, a failed customer assessment, or a security incident exposes the missing evidence, at which point gap assessment becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST SP 800-63 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC, ID.IM, PR.AT | CSF 2.0 frames current-state vs target-state control maturity and continuous improvement. |
| NIST SP 800-53 Rev 5 | CA-2 | Assessment and authorisation controls support structured evaluation of control effectiveness. |
| ISO/IEC 27001:2022 | 6.1, 9.2, 9.3 | ISO 27001 requires risk treatment, internal audit, and management review against the ISMS. |
| NIST SP 800-63 | IAL/AAL/FAL | Digital identity assurance levels help assess whether identity controls meet the needed strength. |
| OWASP Non-Human Identity Top 10 | NHI guidance is relevant when gap assessment covers machine identities and secret handling. |
Use CSF outcome mapping to identify missing controls, owners, and evidence before external review.