# 📊 Gap Analysis Template

> **Pack:** Shield (GRC Audit) — Shared Templates
> **Purpose:** Standardized gap analysis format for any compliance framework
> **Version:** 1.0.0

---

## Gap Analysis Report

### 1. Executive Summary

| Item | Detail |
|------|--------|
| **Organization** | [NAME] |
| **Framework(s)** | [FRAMEWORK VERSION] |
| **Scope** | [Systems, processes, departments covered] |
| **Assessment Date** | [DATE] |
| **Assessor** | [NAME / AI-assisted] |
| **Overall Maturity** | 🔴 Critical / 🟡 Developing / 🟢 Mature |

### 2. Maturity Scoring

| Level | Score | Description |
|-------|-------|-------------|
| **Non-existent** | 0 | No awareness, no controls |
| **Ad-hoc** | 1 | Informal, reactive, person-dependent |
| **Repeatable** | 2 | Documented but inconsistently applied |
| **Defined** | 3 | Standardized processes, consistently applied |
| **Managed** | 4 | Measured, monitored, continuously improved |
| **Optimized** | 5 | Automated, integrated, industry-leading |

### 3. Detailed Gap Analysis

| # | Requirement | Reference | Status | Current Evidence | Gap | Priority | Remediation |
|---|------------|-----------|--------|-----------------|-----|----------|-------------|
| 1 | [Requirement] | [Art./Cl.] | ✅/🟡/❌ | [Evidence] | [Gap description] | 🔴/🟡/🟢 | [Action needed] |

**Status definitions:**
- ✅ **Implemented** — fully in place with documented evidence
- 🟡 **Partial** — some evidence exists but gaps remain
- ❌ **Not Implemented** — no evidence of implementation
- **N/A** — documented exclusion with justification

**Priority definitions:**
- 🔴 **Critical** — direct violation risk, regulatory penalty exposure
- 🟡 **High** — significant gap requiring near-term remediation
- 🟢 **Medium** — improvement opportunity, best practice

### 4. Summary Statistics

| Status | Count | Percentage |
|--------|-------|------------|
| ✅ Implemented | X | X% |
| 🟡 Partial | X | X% |
| ❌ Not Implemented | X | X% |
| N/A | X | X% |
| **Total** | **X** | **100%** |

### 5. Remediation Roadmap

| Phase | Timeline | Actions | Resources | Dependencies |
|-------|----------|---------|-----------|-------------|
| Quick Wins | 0-30 days | [Actions] | [Resources] | [None] |
| Short-term | 1-3 months | [Actions] | [Resources] | [Dependencies] |
| Medium-term | 3-6 months | [Actions] | [Resources] | [Dependencies] |
| Long-term | 6-12 months | [Actions] | [Resources] | [Dependencies] |

### 6. Risk Register (from gaps)

| # | Gap | Likelihood | Impact | Risk Score | Treatment |
|---|-----|-----------|--------|------------|-----------|
| 1 | [Gap] | 1-5 | 1-5 | L×I | Accept/Avoid/Transfer/Mitigate |

---

## Usage Notes

- Adapt the requirement rows to the specific framework being assessed
- For multi-framework assessments, add a "Framework" column
- Always include the specific article/clause/control reference
- Document evidence sources for implemented controls
- For partial implementations, specify what is missing
