As part of any organisation's commitment to improve its cyber security, it should implement an analysis of its current security posture and capabilities in many areas in order to provide a baseline.
This baseline can be utilised to be provide a measurement of improvement for the organisation in terms of governance, process, user education, or implementation of technical or physical controls to minimise risk to the organisation. Improvement is only possible if organisations have an initial established position or benchmark from which to measure change. 

Through the use of a recognised framework such as the UK government's Cyber Essentials or its '10 steps to cybersecurity',  NIST's Cybersecurity Framework v1.1 or the Centre of Information Security's CIS controls, the gap analysis/capability assessment process involves determining, documenting and obtaining management’s recognition of the variance between the requirements set forth in the chosen control framework and/or best practice standard and the organisation’s current information/cyber security programme.

Synovum's gap analysis/capability assessment can assist your organisation in building an effective  security programme, which will help to minimise exposure to cyber risk, and ensure a clear strategy for handling future incidents while maintaining a process for continual improvement and monitoring.​

The gap analysis process comprises of five main stages:

  1. Scope - confirmation of scope for gap analysis and future vision ('to-be');

  2. Discovery  - information gathering (via questionnaire/workshop/interviews with stakeholders) to determine current ('as-is') situation;

  3. Analysis - review of the information provided during the discovery phase and subsequent analysis;

  4. Reporting - production of reporting outlining information provided and results of analysis including proposed recommendations;

  5. Improvement - development and implementation of improvement plan.

In terms of elements to be reviewed as part of a gap analysis/capability assessment review, consideration would be given to the following:

  • Information/cyber security policies and procedures

  • Asset Management

  • Security programme management

  • HR processes relating to security

  • Access control

  • Physical security

  • Communication security

  • Information systems management

  • Incident response planning/management

  • Regulatory compliance


The gap analysis process will assist organisations in building an effective information security programme, which helps to both minimise exposure to cyber risk and ensure a clear strategy for handling incidents is in place, while maintaining a process for continual improvement and monitoring.

Following identification of any gaps, a Security Improvement Plan (SIP) can be developed which provides a foundation for setting priorities, assigning ownership, allocating investments of time, money and human resources and for measuring and improving compliance with the guidelines.  The SIP would be aligned with your chosen framework to facilitate compliance, and a road-map to compliance would also be provided. 

Following implementation of the SIP, further gap analyses/capability assessments should be scheduled to compare an organisation's revised 'as-is' security posture to their 'to-be' objectives.

Please contact us for further information regarding the gap analysis/capability assessment that we can carry our for your organisation.

"My work experience with Andy as senior information security expert was productive in Lebanon during which he delivered a professional well-drafted product, in a participatory manner."

Peter Salloum, International Development Expert in Conflict/Post-Conflict Countries

© 2019 Synovum Limited