Skip to main content

Create Control Gap Analysis Reports

Nick
Updated

How to quickly create Control Gap Analysis reports

Risk Cloud’s Automated Control Gap Analysis tool allows you to quickly build reports to identify overlapping coverage between control frameworks.

Jump to:

 

In order to use the Gap Analysis tool, you must:

  1. Belong to a Role that has been granted the Gap Analysis-Edit and Dashboards entitlements.
  2. Have Edit access to at least one step in each of the Control Frameworks you would like to compare, or Build access to the applications in which they reside.
    • Refer to the Permission Sets article for more information on step access.
  3. Have a workflow designated as a Central Framework to facilitate cross-framework mappings.

 

Getting to the Gap Analysis tool

To access the Gap Analysis tool, navigate to Compliance > Controls using the navigation bar at the top of the page.

Users with access to the Gap Analysis entitlement will see a Gap Analysis Reports section at the top of the page. Click Create Gap Analysis Report to get started.

Note: Beneath the Gap Analysis Reports table, you will see a list of all Control Frameworks available for Gap Analysis. Frameworks must be mapped through a Central Framework, like the SCF, to be used for Gap Analysis.

 

Creating new Gap Analysis reports

Framework Selection

First, select a Starting Framework. This should be your organization’s most mature framework and will be used as a starting point to evaluate coverage of other frameworks.

Your Starting Framework must be mapped to a Central Framework to be used for Gap Analysis. Once you’ve selected a Starting Framework, your Central Framework will be automatically selected based on workflow mappings.

You can also use a Central Framework as your Starting Framework. For example, this might make sense if your organization is using the SCF as the basis for your internal controls:

Next, select up to three Comparison Frameworks. These should be frameworks that you want to identify coverage for, based on your selected Starting Framework. One Gap Analysis report will be created for each Comparison Framework.

Example:

If you selected ISO 27001 as a Starting Framework and SOC 2 as a Comparison Framework, using the SCF as a Central Framework, then the resulting Gap Analysis report would show you which SOC 2 requirements share mappings with ISO 27001 controls via the SCF.

 

Review Your Selections

Next, you’ll be asked to review your selections. The system will also generate suggested names for each of your Gap Analysis reports. You may edit these report names.

When you’re satisfied with your selections, click Create.

 

Report Creation

After clicking Create, you will receive a notification that Gap Analysis has been initiated. Your Gap Analysis reports will appear in a disabled state until they are ready to be viewed. They typically take 5-10 minutes to complete, but may take longer if a large volume of calculations, jobs, or bulk updates is being performed in your Risk Cloud instance.

During this timeframe, Risk Cloud is creating fields to calculate cross-framework coverage and adding them to your Gap Analysis reports. See the Fields Used for Gap Analysis section.

 

Viewing Gap Analysis reports

When your Gap Analysis reports are ready to be viewed, they will appear in an enabled state. Click into any report to view it.

 

Each Gap Analysis report displays the percentage of records from the selected Target Framework which are mapped to at least one record from the Starting Framework (“Mapped”) and the percentage which are NOT mapped (“Gap”).

Note: Because controls are not necessarily mapped one-to-one, Mapped coverage does not imply that all requirements for a mapped control have been met. Gap Analysis reports demonstrate estimated coverage based on control mappings, not control effectiveness.

You may drill down into the report to see a table of records which are Mapped or are considered Gaps.

You can edit Gap Analysis reports to change the report’s name, description, or any other configuration option – just like a regular Risk Cloud report. These reports can also be added to Dashboards.

 

Fields Used for Gap Analysis

To calculate cross-framework coverage, Risk Cloud creates several fields in your selected Control Framework workflows when you run a Gap Analysis.

In the Central Framework workflow, the following fields are created:

In the Target Framework workflow, the following fields are created:

  • Linked <Central Framework> records: Text Concatenation field used to identify the names of mapped control records in the Central Framework.
  • Related <Starting Framework> records: Text Concatenation field used to identify the names of indirectly mapped control records in the Starting Framework. (Uses the Text Concatenation field in the Central Framework workflow as an input)
  • Mapped to <Starting Framework>: Calculation field (with label ranges) used to identify whether at least one linked record exists in the Starting Framework. (Uses the Linked Records Count field in the Central Framework workflow as an input)

Fields created by Gap Analysis can be identified by their tooltip.

Note: Text Concatenation fields will NOT be created for workflows which do not have a custom Primary Field, since System Fields are not currently supported in Text Concatenations.

 

Frequently Asked Questions

Does Gap Analysis measure control effectiveness?

No. Gap Analysis reports tell you whether controls are mapped via a Central Framework, but they do not consider control effectiveness.

 

Do I need to use a Central Framework for Gap Analysis?

Yes. A Central Framework is required to facilitate cross-framework mappings. Reach out to your Account Team to install a Central Framework.

 

Which Central Framework(s) can I use for Gap Analysis?

Any Central Framework can be used for Gap Analysis! As long as your other frameworks are mapped through your Central Framework, you can run Gap Analysis.

 

Does Gap Analysis utilize artificial intelligence?

No. Gap Analysis reports are based solely on control mappings and do not utilize AI.

If you would like to use AI to identify suggested control mappings, check out Spark AI Record Linking Recommendations!

 

Why are my Gap Analysis report names disabled?

Gap Analysis reports typically take 5-10 minutes to complete, and reports will appear in a disabled state until they are ready to be viewed. Reports may take longer if a large volume of calculations, jobs, or bulk updates is being performed in your Risk Cloud instance.

 

Why does my Gap Analysis report display a notification saying “Report still processing”?

Gap Analysis reports may appear “ready” before calculations have finished processing. In this case, you will see a “Report still processing” message on the Visual Reports page:

This message should no longer appear after a few minutes, once the calculation has finished.

 

Will Gap Analysis reports appear in the Reports module?

Yes. Gap Analysis reports behave just like regular Risk Cloud reports and will appear on both the Visual Reports and Table Reports page.

 

Can I add more contextual field data to my Gap Analysis report?

Yes. You may edit the Table Report used for your Gap Analysis report.

While viewing your Gap Analysis report, click the Table Report Page button to navigate to the Table Report page, then click Edit Report.

 

 

Can I run a Gap Analysis on my Risks (or other workflows)?

You can run a Gap Analysis on any two workflows identified as a Control Framework which are mapped through a Central Framework.

 

I don’t see some of the Gap Analysis reports that my colleague sees. Why is this?

You must have the proper permissions to view any given report. To view a Gap Analysis report, you must have step permissions (Read or Edit) to at least one step in the Target Framework workflow, or Build access to the application in which it resides. Refer to the Permission Sets article for more information on step access.

Related articles