1.2 Summarize fundamental security concepts
📘CompTIA Security+ (SY0-701)
🧩 What Is Gap Analysis?
Gap Analysis is a process of comparing your organization’s current security posture (what security measures you have now) with your desired or required security posture (what you should have according to standards, policies, or compliance requirements).
The “gap” is the difference between these two states.
In other words, it helps an organization identify:
- What security controls or policies are missing, weak, or not effective.
- What needs to be improved to meet security goals, frameworks, or compliance laws.
🔍 Why Gap Analysis Is Important
For the Security+ exam, you must understand that gap analysis is part of risk management and continuous improvement.
It helps security professionals:
- Identify weaknesses before attackers do.
- Prioritize remediation efforts (fix the most critical gaps first).
- Ensure compliance with laws, regulations, and frameworks such as:
- ISO 27001
- NIST Cybersecurity Framework
- GDPR, HIPAA, PCI-DSS, etc.
- Support audits and security assessments by showing what has been addressed and what still needs work.
🏗️ How Gap Analysis Works (Step-by-Step)
Let’s break it down into simple steps as it would happen in an IT security environment:
Step 1: Define the Target or Desired State
- Identify the security standard or goal you want to achieve.
Examples in IT:- A company wants to meet ISO 27001 information security standards.
- A data center must comply with PCI-DSS to handle credit card data securely.
This defines what “good” looks like — your desired security posture.
Step 2: Assess the Current State
- Review and document the current security controls, policies, and procedures.
- Examples:
- What kind of firewalls, antivirus, or access controls are currently in place?
- Are employees trained in security awareness?
- Are there policies for password management or data encryption?
This tells you where you are now.
Step 3: Identify the Gaps
- Compare the current state with the desired state.
- Each difference is a gap.
Example in IT context:
- The desired standard requires multi-factor authentication (MFA) for all admin accounts.
- The current system only uses passwords.
→ This is a security gap.
Step 4: Analyze and Prioritize the Gaps
- Not all gaps are equally serious.
- Use risk assessment methods to rank them:
- Which gaps could cause the most damage if exploited?
- Which gaps affect compliance with regulations?
Example:
- Lack of MFA on admin accounts → high-risk gap.
- Missing security awareness training → medium-risk gap.
Step 5: Develop a Remediation Plan
- Create a plan of action to close the gaps.
- The plan should include:
- Steps to fix the issue
- Timeline
- Resources or budget needed
- Responsible team or person
Example:
- Gap: No MFA on admin accounts.
- Fix: Deploy MFA system.
- Timeline: 3 weeks.
- Responsible: IT security team.
Step 6: Implement and Monitor
- Implement the fixes.
- Monitor continuously to ensure:
- The controls are working.
- New gaps don’t appear as systems evolve or new threats emerge.
Gap analysis should be repeated regularly — it’s not a one-time activity.
🧠 Key Terms and Concepts for the Exam
| Term | Description |
|---|---|
| Current State | The existing security posture, including all current controls and practices. |
| Desired State | The ideal or required level of security based on frameworks or compliance needs. |
| Gap | The difference between current and desired states — the missing or insufficient control. |
| Remediation Plan | The action plan to fix or improve the identified gaps. |
| Risk Prioritization | Ranking gaps based on their potential impact on confidentiality, integrity, and availability. |
| Continuous Improvement | Regularly repeating gap analysis to maintain a strong security posture. |
🧩 Example (IT Environment Context Only)
Let’s use a corporate IT network example:
| Area | Desired State | Current State | Gap | Risk |
|---|---|---|---|---|
| Access Control | MFA for all users | Password-only login | MFA missing | High |
| Patch Management | Weekly updates | Irregular updates | Delays in patching | Medium |
| Data Encryption | Full disk encryption on laptops | Encryption not enabled | Missing encryption | High |
| Security Policy | Annual review | Last updated 3 years ago | Outdated policy | Low |
From this, the organization knows exactly where to focus first — on high-risk areas.
🧾 Benefits of Gap Analysis
- Improves Security Posture – Identifies weaknesses early.
- Ensures Compliance – Helps meet laws and standards.
- Supports Decision Making – Gives management clear data on where to invest resources.
- Increases Efficiency – Focuses security efforts where they’re needed most.
- Enables Continuous Improvement – Security is not static; gap analysis keeps it updated.
⚠️ Common Mistakes to Avoid (For Exam & Real Use)
- Skipping documentation: Always record findings — exam questions may ask about this.
- Ignoring low-risk gaps: These can become serious later.
- Not involving stakeholders: IT, management, and compliance teams must all participate.
- One-time check: Security gaps change with new systems and threats — must be ongoing.
🧭 In Summary (For Easy Recall)
Gap Analysis = Where are we now → Where should we be → What’s missing → How to fix it
Exam Tip:
When you see a question describing comparing an organization’s current controls with a required framework or compliance standard — the answer is usually Gap Analysis.
