What is a Gap Assessment

Identify the steps needed to reduce risk and pass audits

Whether it’s a government body, a contractual obligation with a customer, an industry requirement, a private-sector framework, or a nonprofit authority, organizations often have a set of rules and security controls they must adhere to. To ensure you can earn contracts, stay accredited, and stay certified, identifying where you currently fall short in your administrative, physical, and technical security is a crucial step.

How does Secure Shield approach gap assessments?

After determining which regulation(s) your organization must adhere to, Secure Shield analysts will work with your team to understand which capabilities and controls are in place—ultimately helping you identify shortcomings in your requirements. With an emphasis on improving your overall security fundamentals, compliance falls naturally in place after that. Because of this, we can support a wide range of requirements across almost any industry.


The Center for Internet Security is a nonprofit that developed standards in the form of the CIS Controls and CIS Benchmarks. Their 20 controls are a prioritized list of action items to minimize attacks.


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the is a federal standard specifically for protected health information (PHI). Regulated by the Office for Civil Rights, HIPAA outlines the permissible use and disclosure of PHI in the USA as set forth by HHS guidelines


PIPEDA is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of electronic documents.  It doesn’t only cover health information. Instead, its aims are much broader. They include banking, communications, and other industries that store personal data.

Canadian Baseline Cyber Security Controls for SMB

Created for small and medium organizations seeking to improve their cybersecurity resiliency. This framework is designed to provide a baseline, not a comprehensive (and complicated) plan. Its goal is to provide 80% of the benefit from 20% of the effort, making it easily accessible to smaller businesses.


The Investment Industry Regulatory Organization of Canada (IIROC) is a self-regulatory organization and is the equivalent of the Financial Industry Regulatory Authority (FINRA) in the United States


This framework was prepared by the National Institute of Standards and Technology (NIST). It is a voluntary framework focused on helping organizations manage and reduce risks, and fostering communication among internal and external stakeholders.

Gap Assessment Steps

Interview Staff

It’s important to talk to staff who are responsible for each area of the requirement in question. We need to be if the staff understands how their daily functions impact the security program and its requirements.

Review Evidence

After the interview is conducted, our analysts will take the information gathered, assess what’s being done, and see where there are discrepancies between the two.

Develop Roadmap

Once the evidence is reviewed, the analyst can determine where there are shortcomings in the regulatory requirements. Then they’ll develop a detailed plan outlining the to-dos, timeline, and cost needed to comply.

Our Unique Approach

Benefits of working with Secure IT Systems


Secure Shield has been in business for over 10 years, and our team has more than 300 years of combined experience working in information security and boasts 30 different kinds of certifications. When it comes to growing a security program that complies with regulatory standards, you have the benefit of experience in your corner.


Our mission at Secure Shield is to fix the broken information security industry. Not only do we help you comply with standards, but we also solve as many weaknesses as we can in your security environment. We are dedicated to making real, lasting, impactful changes to your security program.


Our style isn’t “cookie cutter.” We recognize that each organization is different, and every security program is at a different stage of maturity. We get to know your security program intimately, use assessments to determine what your strengths and weaknesses are, and then apply industry best practices to provide next steps that’ll help you meet regulatory requirements.


Information security is all we do. We don’t do IT, sell hardware, or provide telco services. We only do security. Because of this, our team can provide unbiased recommendations that will actually make a dramatic impact to the way you do security. We work hard to be a partner—collaborating with and educating your team every step of the way.


Gap Assessment FAQ

What do the deliverables look like

Secure Shield uses a risk assessment methodology and platform called S2. The final report will list specific controls you need to adhere to and map to the corresponding controls in S2. It will also list the specific control and whether it’s being met, not being met, or if not applicable.

What does the timeline look like

It typically takes between 4-16 hours to conduct interviews with your staff. In total, it takes anywhere from 4-6 weeks to complete the entire engagement

How often does this need to be done?

On average, regulatory requirements need to be met every 1-2 years, so these need to be conducted at least that often. It cannot be a one-and-done—it must be an ongoing process.

Does Secure Shield conduct the audit too?

It is crucial to us that we stay objective when handling cybersecurity services. Grading your own paper is an easy way to bring unintentional bias, leading to a false sense of security. We help improve security programs and determine gaps in compliance—but we stop there.

“Secure Shield has been there since day one to ensure that the technology we put in place today supports our operations tomorrow.”

Other Services

Our industry-specific expertise enables your business to streamline workflow and increase productivity. No matter the business, Secure Shield has you covered with IT services customized to your company’s specific needs.