How-to Instructions

Gap Analysis for Information Security

Departments or units which support IT resources, and individuals who manage their own IT resources, need to identify and manage information security risks by analyzing gaps between their current practices and the required security controls defined in the information security standards.  Individuals can work with their collegiate or unit IT staff to complete the process.


The gap analysis process includes:

  • identifying the security level of the data, IT resources or IT Service
  • reviewing the required controls for the security level 
  • documenting current practices compared to the required security controls  
    • an optional spreadsheet tool to track and document gaps is available on the right of this page
  • documenting plans to meet security control requirements (documentation is for internal unit planning).

If unable to complete the implementation of the required controls within 6 months of the publication date of the information security standard, the unit must request an exception to policy/standard

The following diagram illustrates the cycle:

unit gap analysis process flow chart