Gap Analysis

A gap analysis, delivered for you

For teams that need a gap analysis done — not a tool to do one with. We scope the work, assess your current posture against the frameworks that apply to you, and deliver a cited report your auditors can read.

How it runs

A gap analysis, delivered as a service

Four stages from kickoff to delivered report. Typical engagement runs two to four weeks depending on scope.

You share the scope

You tell us which entities, systems, and frameworks are in play. We confirm the obligation set in writing before any assessment begins.

Entities, systems, frameworks agreed upfront
Out-of-scope items listed explicitly
Fixed price once scope is signed

Frameworks we cover

Horizontal, sector, and AI-specific obligations

The frameworks most commonly in scope. If your obligation isn't listed, ask — coverage extends to sector regulation across finance, health, energy, telecom, and public sector in the EU.

ISO 27001:2022Information security

ISO 27701Privacy information

ISO 42001AI management system

NIS2EU cyber resilience

DORAFinancial services — EU

GDPREU data protection

EU AI ActHigh-risk AI systems

SOC 2Type I and Type II

What you get

A report you can defend in audit

The shape of every finding in the report — cited to the source law, tied to your evidence, structured for import into GRC tooling.

assessmentPer-control status: met · partial · not met · not applicable

citationClause-level reference — regulation article or standard section

evidence_linkEach finding ties to the uploaded document and section it was judged against

remediationShort note per gap: what changes, which artefact provides the evidence

exportsPDF report · findings.json · findings.csv

followupOptional remediation plan or re-assessment once fixes are in place

Need a gap analysis?

Tell us the frameworks in play and the evidence you already have. We'll come back with a scope, a timeline, and a fixed price.