Organisations implement management systems and relevant controls in accordance with international ISO standards or specific legal or regulatory requirements.
Gap analysis is used to identify the current state and to determine the activities needed to move to the desired end state. The benchmark is based on relevant statutory, regulatory or normative requirements and recommendations.
The gap analysis of a management system or controls can be used by organisations for proper planning and implementation of management systems and relevant sets of controls. The information gathered in the context of a gap analysis can also be used, for example, in the risk assessment process when measures already in place need to be taken into account. Gap analysis is also an excellent tool for planning and evaluating progress in continuous improvement.
Benefits of gap analysis
- Identification and understanding of the current state and maturity of the management system and controls in relation to legal, regulatory or normative requirements
- Optimisation of planning for the implementation of the management system and control measures
- Evaluating progress and optimising planning for the development of the management system and controls
- Effective use of outputs in the risk and opportunity management process
Process of gap analysis
The method consists of 5 successive stages.
- Determining the context
- Identification and assessment of the current state
- Definition of the target state
- Specification of steps to achieve the target state
- Consolidation and final report
The purpose of setting the context is to define the objectives and scope of the gap analysis.
he purpose of the identification and assessment of the current state is to gather information and document the current state of the management system or measure and to assess its level of maturity. The determination of the maturity level of a process or measure is made using a quantitative hierarchical scale. In practice, the scale is usually expressed as a 0-5 scale, with the higher the number, the higher the maturity level. The determination of the maturity level requires that the assessment provides objective evidence that the requirements of the level are met.
The purpose of defining a target state is to describe in a concise manner the desired target state with respect to the relevant requirements and to establish a target level of maturity.
The purpose of the specification of the actions to achieve the target state is to identify the gaps between the current state and the target state and to determine the actions needed to bridge the gaps and move to the target state.
The purpose of consolidation is to review and validate the results of the gap analysis and draw conclusions from it. The results and conclusions of the gap analysis should be included in the final report. It is good practice to present the results of the gap analysis graphically, for example using a bar chart, which gives an indication at a glance of where the biggest gaps are and what needs to be addressed.