Practice II · Compliance Gap Analysis

Know exactly where
you stand.

A structured, evidence-based gap analysis against ISO 27001:2022, PCI DSS v4.0, GDPR, and UAE PDPL — ending not in a verdict, but in a prioritised roadmap your team can execute.

/ 01 — First Principles

Diagnosis before
prescription.

Most compliance programmes fail at the start, not the end — by buying controls before understanding obligations, or scheduling a certification audit against a posture nobody has honestly measured. The result is predictable: rework, budget overruns, and an audit that becomes an ambush.

A gap analysis inverts that sequence. Before any remediation is scoped, we establish three facts with evidence: what the framework requires of you specifically, given your scope and context; what you already satisfy — usually more than expected; and where the genuine gaps are, sized by risk rather than by checklist order.

The outcome is an honest, documented position that turns certification from a leap of faith into a project plan — and gives your board a defensible answer to the question "how far are we, really?"

/ 02 — Coverage

Four frameworks.
One methodology.

Certification

ISO 27001:2022

Full assessment against the 2022 control set — clauses 4–10 and Annex A — producing a Statement of Applicability and a certification-ready remediation plan.

Payments

PCI DSS v4.0

Scope definition, segmentation review, and control assessment across the twelve requirements — including the customised approach where it genuinely fits.

Privacy · EU/UK

GDPR

Lawful-basis mapping, records of processing, data-subject rights readiness, and the security-of-processing controls Article 32 actually expects.

Privacy · UAE

UAE PDPL

Assessment against Federal Decree-Law No. 45 of 2021 — consent, cross-border transfer, and controller obligations for UAE-connected operations.

Extensions to NIST CSF, SOC 2, and sector frameworks available on request.

/ 03 — Method

Five steps.
No theatre.

01

Scoping

Boundaries agreed up front: entities, systems, data flows, and the framework clauses that genuinely apply.

02

Evidence Review

Policies, configurations, and records examined directly — we assess what exists, not what interviews claim.

03

Control Assessment

Each control rated for design and operating effectiveness, with the gap and its risk consequence stated plainly.

04

Report

A documented gap analysis written for two audiences at once: executives who decide, and engineers who fix.

05

Roadmap Walkthrough

A working session with your team to sequence remediation by risk, effort, and dependency — not alphabetically.

/ 04 — Deliverables

What lands on
your desk.

Every engagement closes with four artefacts — documents built to be used the day after we leave, and to stand up to auditor and regulator scrutiny thereafter.

  • Documented gap analysis

    Control-by-control findings with evidence references, effectiveness ratings, and an executive summary that says what matters in one page.

  • Statement of Applicability

    The ISO 27001 SoA drafted with justifications for inclusion and exclusion — the document certification auditors read first.

  • Risk register

    Gaps translated into business risks with owners, likelihood and impact ratings, and treatment options — ready to govern from day one.

  • Prioritised remediation roadmap

    Sequenced by risk reduction per unit of effort, with dependencies mapped and quick wins separated from structural work.

/ 05 — Fit

Three situations that
call for it.

Certification-bound

You need the certificate

ISO 27001 certification or PCI DSS attestation is on the board agenda with a date attached. A gap analysis tells you whether the date is achievable — and what it will actually take to hit it.

Regulator-driven

A supervisor is asking

A regulator, central bank, or data protection authority has raised expectations — or an inspection is scheduled. You need a documented, evidence-based position before they form one for you.

Customer-driven

Your customers audit you

Enterprise clients are sending security questionnaires and audit clauses. A credible gap analysis and roadmap turns procurement friction into a demonstration of maturity.

/ 06 — Questions

Asked often.
Answered plainly.

How long does a gap analysis take?

Duration depends on scope — the number of frameworks, entities, and systems in play — and is fixed at scoping, before work begins. Single-framework engagements for a focused environment run in weeks, not months. The timeline is agreed in the scoping document, alongside deliverables and commercial terms.

Is this an audit? Will we be certified at the end?

No — and the distinction protects you. Certification is issued by accredited certification bodies and PCI assessments by QSAs; we are deliberately neither, so our assessment carries no incentive to soften findings or sell remediation. What you get is an unvarnished picture and a roadmap that makes the formal audit predictable.

Can you assess more than one framework in a single engagement?

Yes — and it is usually the efficient choice. The frameworks overlap heavily: a single evidence-gathering pass can be mapped against ISO 27001, PCI DSS, GDPR, and UAE PDPL simultaneously, with one consolidated roadmap. You remediate once and satisfy several obligations at a stroke.

What do you need from our team?

Access and honesty. Practically: a point of contact, documentation as it exists today (imperfect is fine — that is the point), and short evidence sessions with system owners. We work remote-first over secure channels, with on-site presence where the scope warrants it.
/ 07 — Engage

Replace assumptions
with evidence.

Tell us which frameworks are in play. We'll scope the analysis — and tell you honestly if you don't need one yet.

30 min · Video · No obligation