What is CertGuide.ai?

CertGuide.ai is an AI-powered certification prep platform that helps you pass CompTIA exams like Security+, Network+, and A+. It maps all exam concepts, diagnoses your weak areas, and creates personalized study plans.

How does CertGuide compare to CertMaster?

CertGuide.ai offers AI-powered diagnostics that map your knowledge across all 183 Security+ concepts, personalized study plans, and an AI tutor. Unlike traditional prep tools, CertGuide shows you exactly which concepts need work and tracks your progress to exam readiness.

What is the pass rate for CertGuide users?

99% of CertGuide users who reach 95% concept mastery pass their certification exam on the first attempt.

How much does CertGuide cost?

CertGuide offers a free baseline assessment to diagnose your current knowledge. Full course access is $79 per certification exam.

Which CompTIA certifications does CertGuide support?

CertGuide currently supports CompTIA Security+ (SY0-701), with Network+ and A+ (Core 1 & Core 2) launching soon.

Objective 1.2Critical Priority7 min read

Gap Analysis

A systematic process of comparing current security posture against a desired state, framework, or standard to identify deficiencies. Gap analysis reveals what controls are missing and helps prioritize security improvements.

Understanding Gap Analysis

Gap analysis asks: "Where are we? Where should we be? What's missing?" It's a structured comparison between your current security state and a target—whether that's a compliance framework, industry best practices, or organizational security goals.

Think of gap analysis like a health checkup. The doctor compares your vital signs against healthy baselines and identifies what needs attention. Similarly, security gap analysis compares your controls against standards and identifies deficiencies.

The output of gap analysis is a prioritized list of gaps with remediation recommendations. This drives security roadmaps, budget requests, and project planning.

Why This Matters for the Exam

Gap analysis is a foundational activity in security program management (Domain 5) and directly supports risk management. The exam tests your understanding of how gap analysis fits into the security lifecycle.

SY0-701 specifically calls out gap analysis as a fundamental security concept, reflecting its importance in real-world security programs. Questions may ask about the gap analysis process, what it produces, or when to use it.

Understanding gap analysis also helps with compliance questions. Organizations must identify gaps between their current controls and regulatory requirements before they can achieve compliance.

Deep Dive

The Gap Analysis Process

Step 1: Define the Target State

•Select a framework or standard (NIST, ISO 27001, CIS, PCI DSS)
•Identify organizational security goals
•Define compliance requirements
•Establish security maturity targets

Step 2: Assess Current State

•Document existing controls
•Review policies and procedures
•Evaluate technical implementations
•Interview stakeholders
•Review previous assessments

Step 3: Identify Gaps

•Compare current state to target
•Document missing controls
•Note partially implemented controls
•Identify control weaknesses

Step 4: Prioritize Gaps

•Risk-based prioritization
•Consider compliance deadlines
•Evaluate implementation difficulty
•Account for resource constraints
•Factor in business impact

Step 5: Develop Remediation Plan

•Create action items for each gap
•Assign responsibilities
•Estimate timelines and costs
•Define success metrics
•Schedule follow-up assessments

Types of Gap Analysis

Type	Comparison Against	Purpose
Compliance Gap	Regulatory requirements	Achieve/maintain compliance
Framework Gap	Security framework (NIST, ISO)	Improve security maturity
Policy Gap	Internal policies	Ensure policy implementation
Technical Gap	Security baselines	Harden systems and configs
Vendor Gap	Third-party requirements	Validate vendor security

Common Frameworks Used as Targets

NIST Cybersecurity Framework (CSF)

•Identify, Protect, Detect, Respond, Recover
•Common for general security maturity

ISO 27001

•International standard for ISMS
•Common for certification pursuit

CIS Controls

•Prioritized security actions
•Common for technical hardening

PCI DSS

•Payment card industry specific
•Required for card processing

HIPAA

•Healthcare specific
•Required for protected health information

Gap Analysis Outputs

A comprehensive gap analysis produces:

1. Gap Register — List of all identified gaps 2. Risk Assessment — Impact and likelihood of each gap 3. Prioritized Recommendations — Ordered remediation steps 4. Resource Estimates — Budget and staff requirements 5. Timeline — Projected remediation schedule 6. Metrics — How to measure closure

How CompTIA Tests This

Example Analysis

Scenario: An organization wants to achieve PCI DSS compliance for credit card processing. They hire a consultant to compare their current security controls against PCI DSS requirements. The consultant identifies that encryption is missing for stored cardholder data and network segmentation is inadequate.

Analysis: This is a compliance gap analysis: • Target state: PCI DSS requirements • Current state: Assessed through documentation review and technical testing • Gaps identified: Missing encryption, inadequate segmentation • Next steps: Prioritize remediation, implement controls, reassess

Key insight: Gap analysis doesn't fix problems—it identifies them. The value is in knowing exactly what needs to be done to reach the target state.

Key Terms to Know

gap analysissecurity assessmentcompliance gapsecurity postureremediation planningsecurity maturityframework compliance

Common Mistakes to Avoid

Thinking gap analysis fixes problems—gap analysis IDENTIFIES gaps; it doesn't remediate them. It produces a roadmap, not implemented controls.

Forgetting to define the target—gap analysis requires a clear target (framework, standard, goal). Without a defined target, there's nothing to compare against.

Missing the prioritization step—not all gaps are equal. Critical gaps need immediate attention; lower-risk gaps can be scheduled later. Prioritization is essential.

Treating it as one-time—gap analysis should be periodic. Security posture changes, frameworks update, and new gaps emerge. It's an ongoing process.

Exam Tips

Gap analysis = Current state vs. Desired state. Any question asking about identifying security deficiencies likely involves gap analysis.

Know common frameworks: NIST CSF for general security, ISO 27001 for ISMS certification, CIS Controls for technical hardening, PCI DSS for payment cards.

Gap analysis feeds into risk management—identified gaps become risks that need treatment.

The output is a prioritized remediation plan, not just a list of problems.

Gap analysis is often the first step in compliance efforts—you must know what's missing before you can fix it.

Memory Trick

"Where are we? Where should we be? What's the GAP?"

•Gap Analysis = Finding the difference between:
•CURRENT state (where we are)
•TARGET state (where we should be)

The Process Flow: Target → Assess → Compare → Prioritize → Remediate

•Framework Memory:
•NIST = National framework (general security)
•ISO = International Standard (certification)
•CIS = Configuration Security (technical)
•PCI = Payment Card Industry (cards)

•The Doctor Analogy:
•Healthy baseline = Target state
•Your vital signs = Current state
•Diagnosis = Gap identification
•Treatment plan = Remediation plan

Test Your Knowledge

Q1.An organization compares its current security controls against the NIST Cybersecurity Framework to identify areas needing improvement. What type of activity is this?

Q2.What is the PRIMARY output of a security gap analysis?

Q3.An organization must comply with PCI DSS within six months. What should they do FIRST?

Want more practice with instant AI feedback?

Practice with AI

Continue Learning

Defense in Depth Managerial Controls

Ready to test your knowledge?

Practice questions on gap analysis and other Objective 1.2 concepts.

Start Practice

Accounting and Auditing Zero Trust Overview