Compliance Gap Analyzer
Control Domains
Framework Scores
NIST CSF 2.0
0%Implemented
Partial
Gaps
Remediation Cost Estimate
Remediation Timeline
Remediation Roadmap
| Domain↕ | Frameworks↕ | Effort (wk)↕ | Cost↕ | Priority↓ | Category↕ |
|---|---|---|---|---|---|
| Risk Management Strategy | NIST CSF 2.0 | 4 | $10K | 12 | policy |
| Asset Management | NIST CSF 2.0 | 4 | $32.5K | 12 | tools |
| Risk Assessment | NIST CSF 2.0 | 4 | $32.5K | 12 | tools |
| Identity & Access Management | NIST CSF 2.0 | 4 | $32.5K | 12 | tools |
| Data Security | NIST CSF 2.0 | 4 | $32.5K | 12 | tools |
| Continuous Monitoring | NIST CSF 2.0 | 4 | $32.5K | 12 | tools |
| Incident Management | NIST CSF 2.0 | 4 | $32.5K | 12 | tools |
| Organizational Context | NIST CSF 2.0 | 4 | $10K | 6 | policy |
| Cybersecurity Supply Chain | NIST CSF 2.0 | 4 | $32.5K | 6 | tools |
| Awareness & Training | NIST CSF 2.0 | 4 | $32.5K | 6 | tools |
Top Priority Gaps
Audit readiness depends on knowing exactly which controls are in place, partial, or missing before an assessor arrives. This analyzer scores your posture across NIST CSF 2.0, SOC 2, ISO 27001, and PCI DSS 4.0 by weighting each control domain by importance, then surfaces severity-ranked gaps, cross-framework overlaps, and a remediation effort estimate measured in weeks.
Formula
Score = Σ(statusValue × weight) / Σ(weight) × 100
- statusValue
- Implemented or N/A = 1.0, partial = 0.5, not-implemented = 0
- weight
- Control domain importance from 1 (low) to 3 (high)
- Score
- Weighted compliance percentage from 0 to 100, computed per framework and overall
How it works
- Pick one or more frameworks (NIST CSF 2.0, SOC 2, ISO 27001, PCI DSS 4.0) and mark each control domain as not-implemented, partial, implemented, or not-applicable.
- Each domain carries a weight of 1 to 3 reflecting its importance. Implemented and not-applicable count as full credit, partial counts as half, and not-implemented counts as zero toward the weighted score.
- The tool produces per-framework and overall scores, classifies each gap by severity (a weight-3 not-implemented control is critical), lists shared cross-framework areas, and estimates remediation at 4 weeks per missing control and 2 weeks per partial control.
Worked example
A team assesses SOC 2 (13 control domains, total weight 29) and has 8 domains implemented covering 18 weight units, with the remaining 5 domains not yet implemented.
- Sum the weight of implemented domains: 18 of the 29 total weight units are satisfied.
- Divide achieved weight by total weight: 18 ÷ 29 = 0.6207.
- Multiply by 100 and round: 0.6207 × 100 = 62.07, rounded to 62.
SOC 2 compliance score of 62%. The five not-implemented domains become gaps, with higher-weighted ones (e.g. CC6 Logical & Physical Access, weight 3) flagged as critical.
Frequently asked questions
- Which frameworks does this tool cover?
- It models four widely used frameworks: NIST CSF 2.0, SOC 2 Trust Service Criteria, ISO 27001 Annex A, and PCI DSS 4.0. You can assess one framework or several at once to see where their requirements overlap.
- How is gap severity determined?
- Severity combines control weight and implementation status. A weight-3 control that is not implemented is critical, a weight-3 partial or weight-2 not-implemented control is high, and remaining gaps are medium. Implemented and not-applicable controls are not gaps.
- How accurate is the remediation effort estimate?
- It is a planning heuristic: 4 weeks for each not-implemented control and 2 weeks for each partial control, summed across all gaps. Real timelines depend on your team size, budget, and control complexity, so treat it as a starting point for scoping.
- Why assess multiple frameworks together?
- Frameworks share common control areas such as access control, incident management, and data protection. Assessing them together reveals these overlaps so a single remediation effort can close gaps across several frameworks at once.