Gap Assessment
Know where you stand. Know where to go.
Measure your security against industry standards.
Testing Options
Our gap assessment services evaluate your current security posture against industry frameworks and standards. We identify deficiencies in your controls, policies, and procedures, providing a clear roadmap to achieve compliance and strengthen your overall security program.
NIST Cybersecurity Framework
Assess your organization against the NIST CSF 2.0 six core functions: Govern, Identify, Protect, Detect, Respond, and Recover.
CIS Critical Security Controls
Evaluate implementation of the CIS Critical Security Controls for effective, prioritized cyber defense.
PCI-DSS Readiness
Prepare for PCI compliance by identifying gaps in cardholder data protection before your QSA arrives.
ISO 27001 Readiness
Assess readiness for ISO 27001 certification with comprehensive control mapping and evidence review.
HIPAA Security Assessment
Evaluate your safeguards against HIPAA Security Rule requirements for protected health information.
SOC 2 Readiness
Prepare for SOC 2 Type I or Type II examination with gap identification across Trust Service Criteria.
How We Work
We don't just check boxes. Our assessments dig into how your controls actually function, not just whether a policy exists. We interview staff, review evidence, and test controls to understand your real security posture.
Scoping & Framework Selection
We identify the right framework for your industry and objectives, then define assessment boundaries and key stakeholders.
Document & Policy Review
We analyze existing policies, procedures, and documentation to understand your intended security posture.
Control Testing
We verify that controls are implemented and operating effectively through interviews, evidence collection, and technical validation.
Gap Identification
We map findings to framework requirements, identifying where controls are missing, partially implemented, or ineffective.
Roadmap Development
We deliver prioritized remediation recommendations with effort estimates and quick wins to build momentum.
What You Get
A gap assessment should tell you exactly where you stand and exactly what to do next. Our deliverables give you both.
Current State Assessment
Detailed analysis of your current control implementation across all framework domains with maturity scoring.
Gap Analysis Matrix
Visual mapping of every framework requirement to your current state, highlighting gaps and partial implementations.
Prioritized Remediation Roadmap
Actionable recommendations ranked by risk reduction impact and implementation effort.
Evidence Inventory
Documentation of evidence collected and evidence gaps, preparing you for formal audit or certification.
Executive Summary
Board-ready overview of security posture, key risks, and recommended investment priorities.
Quick Wins List
Immediately actionable items that improve security posture with minimal effort or investment.
Why Breach Craft for Gap Assessment
Auditor Perspective
We've been on both sides of the table. We know what auditors look for, what questions they ask, and what evidence satisfies requirements.
Practical Recommendations
We don't recommend controls you can't implement. Our roadmaps account for your budget, team size, and technical constraints.
Framework Fluency
NIST, CIS, PCI, HIPAA, SOC 2, ISO 27001—we work across frameworks daily and understand how they map to each other.
Beyond Checkbox Compliance
Compliance doesn't equal security. We identify where checkbox compliance leaves real risk, helping you build genuinely secure programs.
Execution Support
Assessment is just the start. Through our vCISO and advisory services, we can help you implement the roadmap we build together.
Common Questions
What framework should we assess against?
It depends on your industry and business requirements. Healthcare organizations typically need HIPAA. Payment processors need PCI-DSS. B2B SaaS companies often pursue SOC 2. We'll recommend the right framework—or combination—during our initial discussion.
How is this different from a penetration test?
Gap assessments evaluate your security program against a framework—policies, procedures, and control implementation. Penetration testing actively tries to exploit vulnerabilities in your systems. They're complementary: gap assessments show program maturity; pentests show real-world exploitability.
Will this prepare us for certification or audit?
Yes. Our assessment identifies what you need to fix before the auditor arrives. We document evidence gaps, control weaknesses, and missing policies—giving you a clear remediation path to certification readiness.
How long does a gap assessment take?
Typically 2-4 weeks depending on scope and organization size. A focused assessment against a single framework for a small organization might take two weeks. A comprehensive multi-framework assessment for a larger enterprise takes longer.
Do you provide the policies we're missing?
Policy development can be included in the engagement or handled separately. We can provide templates, draft policies tailored to your organization, or review policies you develop based on our recommendations.
Ready to Strengthen Your Defenses?
Schedule a free consultation with our security experts to discuss your organization's needs.
Or call us directly at (445) 273-2873