This chapter covers security gap analysis, a systematic method for identifying differences between an organization's current security posture and a desired target state, such as a regulatory standard or industry best practice. For the SY0-701 exam, this maps to Objective 1.1 (General Security Concepts) and is essential for understanding how organizations prioritize security improvements. Gap analysis is a core component of risk management and is frequently tested in scenario-based questions where you must determine the next step after a vulnerability assessment.
Jump to a section
Imagine you've just bought a fixer-upper house and plan to renovate it into a secure, modern home. Before you start, you hire a home inspector to assess the current state. The inspector walks through every room, checks the foundation, roof, plumbing, electrical, and windows. They create a detailed report listing every deficiency: cracked foundation, outdated wiring, drafty windows, and a missing deadbolt on the back door. This report is your gap analysis. It compares the current state (old, unsafe house) to your desired state (a safe, energy-efficient home). For each gap, the inspector notes the severity (critical, major, minor) and recommends fixes—replace wiring, install new locks, add insulation. You then prioritize: fix the electrical first (safety hazard), then the foundation (structural integrity), then windows (energy savings). The inspection report doesn't fix anything; it's the blueprint for your renovation plan. In cybersecurity, gap analysis works the same way: you assess your current security controls against a benchmark (like NIST CSF or ISO 27001), document where you fall short, and prioritize remediation based on risk. Without the inspection, you might miss a critical flaw until a break-in occurs. The analogy's mechanism mirrors the security concept: the inspector systematically compares what is to what should be, just as a security analyst maps existing controls to a framework's requirements, identifying gaps that attackers could exploit.
What Is Security Gap Analysis?
Security gap analysis is a structured process that compares an organization's current security controls, policies, and practices against a predefined benchmark or set of requirements. The 'gap' is the difference between the current state and the desired state. The output is a prioritized list of deficiencies that need to be addressed to reach the target posture. This is distinct from a vulnerability assessment, which identifies specific technical weaknesses (e.g., unpatched software), whereas gap analysis evaluates whether entire control categories are missing or insufficient.
How Gap Analysis Works Mechanically
Define the Target State: Select a framework or standard (e.g., NIST Cybersecurity Framework, ISO 27001, PCI DSS, HIPAA). The target state is the set of controls or practices required by that standard. For example, NIST CSF has five functions: Identify, Protect, Detect, Respond, Recover.
Assess Current State: Gather evidence of existing controls through interviews, document reviews, technical scans, and policy analysis. This produces a baseline of what is currently implemented.
Compare and Identify Gaps: Map each current control to the target requirement. If a requirement is fully met, no gap. If partially met or missing, that's a gap. For each gap, note the severity (e.g., critical if it leads to regulatory non-compliance).
Analyze Risk and Prioritize: Evaluate the risk associated with each gap. A gap that exposes sensitive data is higher priority than one that affects non-critical systems. Assign a priority (high, medium, low) based on likelihood and impact.
Develop Remediation Plan: For each gap, define corrective actions, responsible parties, resources needed, and timelines. This becomes the roadmap for security improvements.
Report and Track: Document findings in a gap analysis report. Track remediation progress through regular reviews.
Key Components, Variants, and Standards
Frameworks Used:
- NIST Cybersecurity Framework (CSF) – most common for US organizations. - ISO 27001 – international standard for information security management. - CIS Controls – prioritized list of 18 critical security controls. - PCI DSS – for organizations handling credit card data. - HIPAA Security Rule – for healthcare entities. - Types of Gap Analysis: - Compliance Gap Analysis: Measures against regulatory requirements (e.g., GDPR, SOX). - Control Gap Analysis: Measures against a control framework (e.g., NIST 800-53). - Maturity Gap Analysis: Assesses the maturity of security processes (e.g., using CMMI). - Tools:
GRC (Governance, Risk, and Compliance) platforms like RSA Archer, ServiceNow GRC.
Spreadsheets for small organizations.
Automated assessment tools like Qualys or Nessus for technical controls.
How Attackers Exploit Gaps or Defenders Deploy This
Attackers exploit gaps by targeting missing controls. For example, if a gap analysis reveals no multi-factor authentication (MFA) on remote access, an attacker can use credential stuffing to gain access. Defenders use gap analysis to proactively close these holes before exploitation. For instance, after a gap analysis showing insufficient logging, a defender deploys a SIEM (Security Information and Event Management) solution to detect intrusions.
Real Command/Tool Examples
While gap analysis is often a manual or GRC-driven process, technical assessments can use tools like: - Nmap: To identify open ports (current state) vs. policy that states only port 443 should be open. - OpenSCAP: To scan systems against a security baseline (e.g., USGCB) and generate a report of non-compliant settings.
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss --results results.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml- PowerShell: To check if a security control (e.g., audit policy) is enabled.
Get-AuditPolicy -SubCategory "Logon"- CIS-CAT: A tool that assesses systems against CIS Benchmarks and outputs gaps.
./CIS-CAT.sh -a -b benchmarks/CIS_Ubuntu_Linux_20.04_LTS_Benchmark_v1.0.0-xccdf.xmlStep-by-Step Process in Detail
Select Benchmark: Choose the standard. For SY0-701, common benchmarks include NIST CSF and CIS Controls.
Data Collection: Gather policies, interview staff, review network diagrams, run vulnerability scans.
Mapping: Create a spreadsheet mapping each control to a requirement. For example, requirement "Access Control" maps to current policy "Password Policy" – gap if no MFA.
Gap Identification: Mark each requirement as 'Met', 'Partially Met', 'Not Met'. Document evidence.
Risk Scoring: Use a formula like Likelihood x Impact = Risk. For example, a missing patch (high likelihood, high impact) = critical.
Remediation Planning: For each gap, define action, owner, budget, deadline.
Reporting: Present findings to management with a dashboard showing percentage of controls met.
Common Pitfalls
Scope Creep: Including too many requirements without prioritizing.
Subjectivity: Different assessors may score the same control differently. Use objective evidence.
Ignoring People/Process: Focusing only on technical controls while neglecting policies and training.
Stale Results: Not updating the analysis after changes.
Scope and Define Target State
First, determine the scope of the gap analysis: which systems, departments, or locations? Then select the benchmark. For SY0-701, the NIST Cybersecurity Framework (CSF) is often referenced. Define the desired state as a set of controls from the framework, e.g., for the Protect function: access control, awareness training, data security, etc. Document the target state in a requirements checklist. This step is critical because an unclear scope leads to incomplete analysis. A common mistake is choosing too broad a scope, making the analysis unmanageable. Instead, focus on high-risk areas first.
Assess Current Security Posture
Collect data on existing controls. Review documentation (policies, procedures), interview key personnel (CISO, IT managers), and perform technical assessments (vulnerability scans, configuration audits). Use tools like Nessus for vulnerability scanning or OpenSCAP for configuration compliance. For each control in the target state, gather evidence of its current implementation. For example, to assess 'Multi-factor authentication enabled for all remote access', check Active Directory or VPN logs. Document findings as 'Implemented', 'Partially Implemented', or 'Not Implemented'. This step is time-consuming but must be thorough to avoid false positives.
Map Current Controls to Target Requirements
Create a mapping matrix: rows are target requirements, columns are current controls. For each requirement, determine if the current control satisfies it. For example, target requirement 'Account lockout after 5 failed attempts' maps to current policy 'Lockout after 10 attempts' – gap because threshold is higher. Use a simple scoring: 0 (not met), 0.5 (partially met), 1 (fully met). This step reveals exactly where deficiencies exist. A common trap is misalignment: mapping a control to the wrong requirement, leading to a false sense of compliance. Ensure each mapping is validated.
Analyze Gaps and Prioritize Risks
For each gap, assess the risk it poses. Consider the likelihood of exploitation and the impact on confidentiality, integrity, or availability. Use a risk matrix (e.g., 5x5). For example, missing encryption for data at rest on a database with PII is high risk (high impact, moderate likelihood). Assign a priority: Critical, High, Medium, Low. Document the rationale. This step directly feeds into risk management. Prioritization ensures resources are focused on the most significant gaps first. A common mistake is treating all gaps equally; instead, use business impact to differentiate.
Develop Remediation Plan and Report
For each prioritized gap, define a remediation action. For example, if gap is 'No intrusion detection system', the action is 'Deploy Snort IDS and integrate with SIEM'. Assign an owner, budget, and timeline. Create a gap analysis report summarizing the overall compliance percentage, top risks, and remediation roadmap. Present to management for approval and resource allocation. This step transforms analysis into action. Without a plan, the gap analysis is just an academic exercise. Ensure the report is clear and actionable, avoiding technical jargon for executive audiences.
Scenario 1: Healthcare Compliance Gap Analysis A mid-sized hospital must comply with HIPAA. The security team conducts a gap analysis against the HIPAA Security Rule. They review the Administrative Safeguards (e.g., security management process), Physical Safeguards (e.g., facility access controls), and Technical Safeguards (e.g., audit controls). Using a checklist, they find that audit logs are enabled but not reviewed regularly – a gap. They also discover that encryption is not used for all ePHI at rest on legacy servers. The analyst uses a GRC tool to map each HIPAA standard to current controls. The report shows 70% compliance. The remediation plan includes deploying disk encryption (BitLocker) on legacy servers and implementing a log review schedule using a SIEM (Splunk). A common mistake is assuming that having a firewall and antivirus means HIPAA compliance; the gap analysis reveals missing policies and procedures, which are equally critical.
Scenario 2: Financial Services Control Gap Analysis A bank must meet PCI DSS requirements for credit card processing. The gap analysis compares current controls to PCI DSS v4.0. The assessor uses a vulnerability scanner (Qualys) to check for missing patches and a configuration scanner (CIS-CAT) to verify system hardening. They find that the segmentation between the cardholder data environment (CDE) and the corporate network is weak – a firewall rule allows unnecessary traffic. This is a critical gap. The analyst also discovers that quarterly vulnerability scans are not being performed as required. The remediation involves tightening firewall rules (allow only required ports) and scheduling automated scans. A common mistake is focusing only on technical controls while ignoring documentation requirements like policies and risk assessments. The gap analysis must cover all 12 PCI DSS requirements.
Scenario 3: NIST CSF Maturity Gap Analysis A government contractor must demonstrate NIST CSF maturity level 3 (Repeatable). The gap analysis assesses the current state across all five functions. Using a maturity model, they find that the 'Detect' function is at level 2 (defined) because continuous monitoring is not fully implemented. The analyst recommends deploying a SIEM and creating a formal incident response plan. They use a tool like RSA Archer to track maturity scores. A common mistake is conducting a gap analysis without a clear target maturity level; without that, the gaps are meaningless. The correct response is to define the target first, then measure against it.
What SY0-701 Tests on Gap Analysis The exam focuses on the purpose and process of gap analysis, not on specific tool commands. You need to know:
Gap analysis is a comparison between current and desired security states.
It is used to identify deficiencies for remediation planning.
Common benchmarks include NIST CSF, ISO 27001, and CIS Controls.
Gap analysis is part of risk management and often follows a risk assessment.
The output is a prioritized list of gaps with remediation recommendations.
Most Common Wrong Answers 1. Vulnerability Assessment: Candidates confuse gap analysis with vulnerability scanning. Vulnerability assessment identifies technical weaknesses (e.g., missing patches), while gap analysis evaluates broader control coverage against a standard. If a question says 'compare current security to a framework', the answer is gap analysis, not vulnerability assessment. 2. Penetration Testing: Another common wrong answer. Pen testing actively exploits vulnerabilities, while gap analysis is a passive comparison. Look for keywords like 'baseline', 'benchmark', or 'standard'. 3. Risk Assessment: Risk assessment identifies and evaluates risks, but gap analysis is specifically about comparing to a desired state. The two are related but distinct. Risk assessment often precedes gap analysis. 4. Audit: An audit is an independent examination of controls, often for compliance. Gap analysis is a self-assessment or internal process. Audits are more formal and may be conducted by external parties.
Specific Terms and Acronyms - NIST CSF: The five functions (Identify, Protect, Detect, Respond, Recover) are fair game. - ISO 27001: International standard for ISMS. - CIS Controls: 18 critical security controls. - PCI DSS: Payment Card Industry Data Security Standard. - HIPAA: Health Insurance Portability and Accountability Act. - SOX: Sarbanes-Oxley Act.
Trick Questions - A question might describe a scenario where a company wants to 'evaluate its security against industry best practices'. The correct answer is gap analysis, not vulnerability assessment. - Another trick: 'After a risk assessment, what should be done next?' The answer could be gap analysis to identify missing controls, or remediation planning. Read carefully. - Questions may mix terms like 'baseline' and 'benchmark'. Baseline is current state, benchmark is target.
Decision Rule for Scenario Questions If the scenario mentions a framework (NIST, ISO, CIS), a standard (PCI, HIPAA), or a 'desired state', the answer is gap analysis. If it mentions scanning for vulnerabilities, it's a vulnerability assessment. If it mentions active exploitation, it's penetration testing. If it mentions evaluating likelihood and impact, it's risk assessment. Use these keywords to eliminate wrong answers.
Gap analysis identifies the difference between current security state and a desired target state defined by a framework or standard.
Common frameworks for gap analysis include NIST CSF, ISO 27001, CIS Controls, PCI DSS, and HIPAA.
The gap analysis process: define target, assess current, compare, prioritize risks, develop remediation plan.
Gap analysis is distinct from vulnerability assessment and penetration testing; it is a broader control evaluation.
SY0-701 tests the purpose and steps of gap analysis, not specific tool commands.
The output of a gap analysis is a prioritized remediation plan, not just a report.
Risk assessment often precedes gap analysis; gap analysis follows to identify specific control deficiencies.
Gap analysis can be performed for compliance, security maturity, or risk reduction.
These come up on the exam all the time. Here's how to tell them apart.
Gap Analysis
Compares current state to a desired benchmark (e.g., NIST CSF).
Focuses on control coverage and policy compliance.
Output is a list of missing or insufficient controls.
Conducted against a framework or standard.
Often involves manual review and interviews.
Vulnerability Assessment
Scans systems for known vulnerabilities (e.g., unpatched software).
Focuses on technical weaknesses in configurations and software.
Output is a list of CVEs and misconfigurations.
Conducted against a vulnerability database (e.g., CVE).
Primarily automated using tools like Nessus.
Mistake
Gap analysis is the same as a vulnerability assessment.
Correct
Gap analysis compares controls to a benchmark; vulnerability assessment scans for technical weaknesses. They are different processes. Gap analysis may incorporate vulnerability scan results as part of the current state assessment.
Mistake
Gap analysis only needs to be done once.
Correct
Gap analysis should be performed periodically (e.g., annually) or when significant changes occur (new systems, regulatory updates). Security is continuous, and gaps change over time.
Mistake
A gap analysis report is the final deliverable.
Correct
The report is a means to an end. The real value is in the remediation plan and its execution. Without action, the gap analysis is just documentation.
Mistake
Gap analysis is only for compliance.
Correct
While compliance is a common driver, gap analysis is also used for security maturity improvement, risk reduction, and budget justification. It can be tailored to any benchmark.
Mistake
All gaps are equally important.
Correct
Gaps must be prioritized based on risk. A missing critical control (e.g., MFA for admin accounts) is far more important than a missing optional control (e.g., banner message).
Risk assessment identifies, analyzes, and evaluates risks (likelihood and impact) to the organization. Gap analysis compares current controls to a desired benchmark. Risk assessment often comes first to identify high-risk areas; then gap analysis determines what controls are missing to mitigate those risks. On the exam, if the question mentions evaluating risks, it's risk assessment; if it mentions comparing to a standard, it's gap analysis.
The most common frameworks are NIST Cybersecurity Framework (CSF), ISO 27001, and CIS Controls. For specific industries, PCI DSS (payment card) and HIPAA (healthcare) are also used. On the SY0-701 exam, you may see questions referencing these frameworks, especially NIST CSF. Know the five functions: Identify, Protect, Detect, Respond, Recover.
Gaps are prioritized based on risk: the likelihood of exploitation and the impact on the organization. Use a risk matrix (e.g., high/medium/low). Critical gaps (e.g., missing MFA on admin accounts) are addressed first. Also consider regulatory requirements – gaps that lead to non-compliance may be high priority. The remediation plan should assign resources accordingly.
Partially. Tools like OpenSCAP, CIS-CAT, and GRC platforms can automate the assessment of technical controls (e.g., checking if a firewall rule exists). However, policy and process gaps require manual review (interviews, document analysis). A complete gap analysis typically combines automated scans with manual assessment.
No. Gap analysis should be repeated periodically (e.g., annually) or when significant changes occur (new systems, regulatory updates, after a breach). Security posture changes over time, and new gaps emerge. Continuous improvement is key. The SY0-701 exam emphasizes that security is an ongoing process.
The primary output is a gap analysis report that includes: current state summary, target state definition, list of gaps with severity ratings, risk analysis, and a prioritized remediation plan with actions, owners, and timelines. The report is presented to management for approval and resource allocation.
NIST CSF provides a set of desired outcomes (functions, categories, subcategories). Gap analysis maps current controls to these outcomes. For example, under the Protect function, the subcategory 'PR.AC-1' requires 'Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes.' If the organization lacks a formal identity management process, that's a gap.
You've just covered Security Gap Analysis — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?