Gap Analysis
Gap analysis is the starting point of every compliance project. We compare your current state with standard or regulation requirements. You get a clear picture of gaps and a concrete plan to close them.
What is Gap Analysis?
Gap analysis is a structured compliance assessment that compares your organization's current security posture against the specific requirements of a standard or regulation — such as ISO 27001, NIS2, DORA, or PCI DSS — and produces a prioritized roadmap to close every identified gap. nFlo evaluates each control point by point through documentation review, stakeholder interviews, and technical configuration checks, delivering a scored report plus effort and cost estimates so management can budget realistically. Without this starting assessment, 70% of compliance projects exceed their budget due to underestimating the work ahead.
You don't know how much work lies ahead or where to start
Clear picture of status and action plan
Assessment
Documentation review and interviews
Scoring
Compliance level per control
Roadmap
What, when, and in what order
Compliance project 3x more expensive than planned
An IT company started ISO 27001 implementation without gap analysis. “We have the basics, it’ll be quick.” After 6 months: budget exceeded 3x, deadline postponed by a year, frustrated team.
Without gap analysis:
- You don’t know how much work lies ahead
- You start with easy things instead of critical ones
- Budget and timeline are guesswork
- Surprises appear during the project
- Risk of failing the audit
Structural analysis point by point
Gap analysis is not a generic “assessment.” We go through each standard or regulation requirement. We assess current state, identify gaps, prioritize actions. You get a concrete plan with cost and time estimates.
Methodology:
- Mapping standard/regulation requirements
- Documentation review (policies, procedures)
- Interviews with process owners
- Technical review (configurations, tools)
- Scoring per control/requirement
- Gap prioritization (critical/high/medium/low)
- Roadmap with timeline and budget
Gap Analysis Scope
ISO 27001:2022
- 93 Annex A controls
- 10 management system clauses
- ISMS documentation
- Risk analysis
NIS2
- 10 security measure areas
- Governance and accountability
- Risk management
- Incident reporting
- Business continuity
DORA
- ICT risk management
- ICT incident management
- Digital operational resilience testing
- Third-party risk
- Information sharing
PCI DSS 4.0
- 12 requirements
- ~250 controls
- SAQ vs ROC assessment
Deliverables
Gap Analysis Report
- Executive summary (for board)
- Scoring per control/requirement
- Detailed description of each gap
- Evidence (what we found)
- Remediation recommendations
Remediation Roadmap
- Prioritization (quick wins → long-term)
- Timeline (implementation phases)
- Effort estimate
- Cost estimate
- Dependencies between actions
Presentation & Workshop
- Results presentation for management
- Workshop with IT/security team
- Q&A and next steps definition
Who is this for?
This service is for you if:
- You’re planning ISO 27001, NIS2, DORA, PCI DSS implementation
- You want to know how much compliance will cost
- You need to justify budget to management
- You don’t know where to start
- You want to avoid surprises during the project
Pricing
Single Standard
Gap analysis for one standard/regulation:
- ISO 27001 or NIS2 or DORA
Time: 2-3 weeks | Price from: 25,000 PLN
Multi-Standard
Gap analysis for several standards simultaneously:
- Integrated approach (overlapping controls)
- One report, common roadmap
Time: 3-5 weeks | Price from: 40,000 PLN
Enterprise
For large organizations with multiple scopes:
- Multiple locations / business units
- Comprehensive IT and OT analysis
- Workshops at each location
Time: 6-8 weeks | Price from: 80,000 PLN
Related Glossary Terms
Learn more about key concepts related to this service:
Contact your account manager
Discuss Gap Analysis with your dedicated account manager.
How we work
Our proven service delivery process.
Kick-off
Scope and schedule definition
Document review
Existing documentation analysis
Interviews
Conversations with key stakeholders
Technical review
Configuration and tools review
Report
Report with gaps and roadmap
Benefits for your business
What you gain by choosing this service.
Full visibility
Know where you are vs where you need to be
Real costs
Implementation budget estimate
Realistic timeline
How long to close gaps
Prioritization
Start with what's most important
Related Articles
Expand your knowledge with our resources.
CVE-2026-47065: Deserialization filter bypass in Apache MINA
ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TC_PROXYCLASSDESC (the mar...
Read more →DORA for the Financial Sector — Practical Implementation Step by Step (2026)
DORA has been in force since January 2025. Most Polish banks, fintechs, insurers and investment firms still lack full compliance. What to actually do in 90 days, how much it costs, who is responsible.
Read more →OWASP API Security Top 10 (2023) — complete guide to API threats
The OWASP API Security Top 10 (2023) is to APIs today what the Web Top 10 was a decade ago — a shared language for development teams, pentesters and compliance functions. Except that an API is a different attack surface than a classic web application.
Read more →Frequently Asked Questions
Common questions about Gap Analysis.
How much does gap analysis cost?
Single Standard (ISO 27001 or NIS2 or DORA): from €6,000 (2-3 weeks). Multi-Standard (several standards simultaneously): from €10,000 (3-5 weeks). Enterprise (multiple locations, IT+OT): from €20,000 (6-8 weeks).
How long does gap analysis take?
For one standard in medium organization (50-200 people): 2-3 weeks. Multi-standard or enterprise: 4-8 weeks. Includes kick-off, documentation review, interviews, technical review and report with roadmap.
Is gap analysis mandatory before ISO 27001 certification?
Formally no, but effectively yes. Without knowing gaps, you can't realistically estimate implementation time and budget. 70% of compliance projects exceed budget due to poor estimation. Gap analysis is an investment that pays off.
What does the gap analysis report include?
Executive summary for board, scoring per control/requirement, detailed description of each gap with evidence, remediation recommendations, roadmap with prioritization (quick wins → long-term), implementation timeline and cost estimate.
How does gap analysis differ from audit?
Gap analysis is a state assessment BEFORE implementation - identifies gaps and creates plan. Audit is verification AFTER implementation - checks if requirements are met. Gap analysis always precedes implementation, audit closes the cycle and leads to certification.