Structured Gap Analysis

A gap analysis compares what you must do (regulatory obligations) against what you are doing (current controls). Every obligation without a corresponding control is a gap. Every control without a corresponding obligation is overhead. The structured gap analysis walks the compliance matrix row by row, verifying that each obligation has a control, each control produces evidence, and each evidence artifact is current.

1. Obligation-Control Mapping For each obligation in the taxonomy, identify the control that satisfies it. If no control exists, record a gap. If a partial control exists, record a partial gap with the specific shortfall. The mapping produces a coverage percentage — what fraction of your obligations are fully controlled.
2. Evidence Verification For each obligation-control pair, verify that the control produces the evidence required by the framework. A control that operates but produces no documentation is a control that cannot be proven to operate. Evidence gaps are as dangerous as control gaps because they produce audit findings. [RISK]: A control without evidence is indistinguishable from no control during an audit.
3. Currency Check Verify that evidence artifacts are current — within the required timeframe for the framework. A risk assessment conducted two years ago does not satisfy a requirement for annual risk assessments. Currency gaps are the most common finding in compliance audits because controls that were established often drift in their execution cadence.