Gap analysis — SY0-701
Learn gap analysis for Security+ SY0-701: NIST-grounded definition, mental model, and how it differs from risk assessment and control assessment.
WHAT IT IS
Gap analysis is the process of comparing current performance against a desired or expected standard to identify what is missing or deficient. In a security context, this means measuring an organization's existing security controls and practices against a defined baseline — such as a regulatory requirement, a control framework, or an internal policy — and documenting where shortfalls exist.
The NIST CSRC Glossary (NIST SP 800-50r1) defines gap analysis as: "The process of comparing current learning program or activity performance with the desired, expected performance." Security practitioners apply this same comparative logic across controls, processes, and posture.
Mental model
Think of gap analysis as a ruler held against two points:
- Point A — current state: the security controls, procedures, and capabilities actually in place today.
- Point B — desired state: the baseline that must be met (a framework, regulation, policy, or control set).
- The gap: anything at Point A that does not reach Point B.
The output of a gap analysis is not a decision — it is a map. It shows where the organization falls short, expressed in terms of controls that are absent, partially implemented, or not operating as intended. What the organization does with that map (prioritize, remediate, accept risk) comes after.
When to use it
Gap analysis is often confused with two adjacent activities: risk assessment and control assessment. The table below shows how they differ in purpose, input, and output.
| Activity | Question it answers | Primary input | Output |
|---|---|---|---|
| Gap analysis | "Where do we fall short of the standard?" | Current posture vs. a defined baseline | List of deficiencies against the baseline |
| Risk assessment | "What threats could harm us, and how likely and severe are they?" | Threats, vulnerabilities, likelihood, impact | Prioritized list of risks to organizational operations |
| Control assessment | "Are our controls working correctly?" | Implemented controls tested against their requirements | Determination of whether controls are implemented correctly and producing desired outcomes |
Sources: NIST SP 800-50r1 (gap analysis), NIST SP 800-30 Rev. 1 (risk assessment), NIST SP 800-37 Rev. 2 (control assessment).
A gap analysis often precedes both: you cannot know which controls need deeper assessment, or which risks are elevated by absent controls, until you know what is missing.
COMMON MISCONCEPTION
The trap: confusing gap analysis with risk assessment.
Candidates sometimes treat gap analysis as the activity that prioritizes threats or estimates likelihood of harm. It does not. Gap analysis measures against a baseline — it tells you what you lack. Risk assessment, by contrast, is the process of identifying, estimating, and prioritizing risks to organizational operations resulting from the operation of an information system (NIST SP 800-30 Rev. 1). Risk assessment incorporates threat and vulnerability analyses and considers mitigations provided by controls in place.
A second misconception: assuming a gap analysis tells you what to fix first. It tells you what is absent relative to the baseline. Prioritization of remediation — defined by NIST as the act of mitigating a vulnerability or threat (CNSSI 4009-2015) — requires an additional step using risk or impact criteria.
How it shows up on the exam
Gap analysis questions test recall of purpose and sequence: candidates must recognize that gap analysis is the comparison step, not the response step or the likelihood-estimation step. Signal phrases to recognize:
- "comparing current controls to a framework" — points toward gap analysis
- "identifying what is missing against a standard" — points toward gap analysis
- "determining where the organization does not meet requirements" — points toward gap analysis
Candidates who conflate gap analysis with risk assessment will be drawn toward answers that mention threat likelihood, impact estimation, or prioritization — none of which are outputs of gap analysis itself. Candidates who conflate it with control assessment may confuse "controls not in place" with "controls not working correctly." A control assessment tests whether implemented controls operate as intended, whereas gap analysis identifies controls that may not exist or be implemented at all.
The cognitive target is understanding the boundary between these three related but distinct activities.
Related concepts
- CIA Triad — Gap analysis typically measures control coverage against confidentiality, integrity, and availability requirements; understanding the triad clarifies what the baseline is protecting.
- Non-repudiation — A specific security property that may appear as a baseline requirement whose presence or absence a gap analysis would surface.
- AAA Framework — Authentication, authorization, and accounting controls are common items evaluated during a gap analysis against access-control baselines.
Sources
Every claim on this page traces to the public exam blueprint and official documentation: