Compliance Gap Analyzer

Framework
$

Control Domains

Organizational Context
Risk Management Strategy
Cybersecurity Supply Chain
Asset Management
Risk Assessment
Identity & Access Management
Awareness & Training
Data Security
Platform Security
Technology Resilience
Continuous Monitoring
Adverse Event Analysis
Incident Management
Incident Reporting
Recovery Planning
Overall Compliance Score0%

Framework Scores

NIST CSF 2.00%25%50%75%100%

NIST CSF 2.0

0%
0
Implemented
0
Partial
15
Gaps
Critical Gaps7
High Gaps8
Medium Gaps0
Remediation (weeks)60

Remediation Cost Estimate

$627.5K
Total Cost
$20K
Policy
$357.5K
Tools
$250K
Infrastructure

Remediation Timeline

30 weeks
Estimated Duration
2027-01-22
Est. Completion
Month 1
13%
Month 2
27%
Month 3
40%
Month 4
53%
Month 5
67%
Month 6
80%
Month 7
93%
Month 8
100%

Remediation Roadmap

DomainFrameworksEffort (wk)CostPriorityCategory
Risk Management StrategyNIST CSF 2.04$10K12policy
Asset ManagementNIST CSF 2.04$32.5K12tools
Risk AssessmentNIST CSF 2.04$32.5K12tools
Identity & Access ManagementNIST CSF 2.04$32.5K12tools
Data SecurityNIST CSF 2.04$32.5K12tools
Continuous MonitoringNIST CSF 2.04$32.5K12tools
Incident ManagementNIST CSF 2.04$32.5K12tools
Organizational ContextNIST CSF 2.04$10K6policy
Cybersecurity Supply ChainNIST CSF 2.04$32.5K6tools
Awareness & TrainingNIST CSF 2.04$32.5K6tools
Page 1 of 2

Top Priority Gaps

Risk Management Strategycritical
Asset Managementcritical
Risk Assessmentcritical
Identity & Access Managementcritical
Data Securitycritical
Continuous Monitoringcritical
Incident Managementcritical
Organizational Contexthigh
Cybersecurity Supply Chainhigh
Awareness & Traininghigh

Audit readiness depends on knowing exactly which controls are in place, partial, or missing before an assessor arrives. This analyzer scores your posture across NIST CSF 2.0, SOC 2, ISO 27001, and PCI DSS 4.0 by weighting each control domain by importance, then surfaces severity-ranked gaps, cross-framework overlaps, and a remediation effort estimate measured in weeks.

Formula

Score = Σ(statusValue × weight) / Σ(weight) × 100

statusValue
Implemented or N/A = 1.0, partial = 0.5, not-implemented = 0
weight
Control domain importance from 1 (low) to 3 (high)
Score
Weighted compliance percentage from 0 to 100, computed per framework and overall

How it works

  1. Pick one or more frameworks (NIST CSF 2.0, SOC 2, ISO 27001, PCI DSS 4.0) and mark each control domain as not-implemented, partial, implemented, or not-applicable.
  2. Each domain carries a weight of 1 to 3 reflecting its importance. Implemented and not-applicable count as full credit, partial counts as half, and not-implemented counts as zero toward the weighted score.
  3. The tool produces per-framework and overall scores, classifies each gap by severity (a weight-3 not-implemented control is critical), lists shared cross-framework areas, and estimates remediation at 4 weeks per missing control and 2 weeks per partial control.

Worked example

A team assesses SOC 2 (13 control domains, total weight 29) and has 8 domains implemented covering 18 weight units, with the remaining 5 domains not yet implemented.

  1. Sum the weight of implemented domains: 18 of the 29 total weight units are satisfied.
  2. Divide achieved weight by total weight: 18 ÷ 29 = 0.6207.
  3. Multiply by 100 and round: 0.6207 × 100 = 62.07, rounded to 62.

SOC 2 compliance score of 62%. The five not-implemented domains become gaps, with higher-weighted ones (e.g. CC6 Logical & Physical Access, weight 3) flagged as critical.

Frequently asked questions

Which frameworks does this tool cover?
It models four widely used frameworks: NIST CSF 2.0, SOC 2 Trust Service Criteria, ISO 27001 Annex A, and PCI DSS 4.0. You can assess one framework or several at once to see where their requirements overlap.
How is gap severity determined?
Severity combines control weight and implementation status. A weight-3 control that is not implemented is critical, a weight-3 partial or weight-2 not-implemented control is high, and remaining gaps are medium. Implemented and not-applicable controls are not gaps.
How accurate is the remediation effort estimate?
It is a planning heuristic: 4 weeks for each not-implemented control and 2 weeks for each partial control, summed across all gaps. Real timelines depend on your team size, budget, and control complexity, so treat it as a starting point for scoping.
Why assess multiple frameworks together?
Frameworks share common control areas such as access control, incident management, and data protection. Assessing them together reveals these overlaps so a single remediation effort can close gaps across several frameworks at once.