Summary: A gap analysis compares your current ways of working with the requirements in, for example, the Swedish Cybersecurity Act/NIS2, CRA, GDPR or ISO 27001, and shows what is already in place, what partially exists and what is missing. Done right, it does not stop at a report – every gap is tied to a prioritised action, an owner and a next step.
Many organisations are currently facing several sets of requirements at once. The Swedish Cybersecurity Act/NIS2, GDPR, ISO 27001 and in some cases the Cyber Resilience Act, CRA. It can quickly become messy if every framework is handled as a separate project.
A good gap analysis helps you see what you already have in place, what partially exists and what is actually missing. But the most important thing is not the report itself. What matters is that the analysis leads to priorities, ownership and actionable measures.
What is a gap analysis?
A gap analysis compares your current ways of working with the requirements or the standard you want to measure yourselves against. It can cover governance documents, risk management, incident processes, supplier governance, technical controls, business continuity and management follow-up.
The result should not just be a list of deficiencies. It should be a basis for decisions that shows:
- what already works
- what needs to be improved
- what is missing
- what should be prioritised first
- who should own each action
How we usually structure the work
We start by defining the scope. Not every organisation needs to measure itself against everything at once. That is why we first need to understand the business, which requirements are relevant and what you have already done.
We then review documentation, interview key people and check how the work actually functions in practice. That is often where the most important insights emerge. A procedure can look good on paper yet be unknown in the organisation. A technical control can exist but lack an owner or follow-up.
We then map the current state against the relevant requirements, for example the Swedish Cybersecurity Act/NIS2, GDPR, ISO 27001 or CRA. We often use ISO 27001 as a common structure, since the standard provides a good framework for governance, risk, follow-up and improvement.
The most common mistake
The most common mistake is that the gap analysis stops at analysis.
The report gets finished. The deficiencies are identified. But no one owns the actions, nothing has a clear timeline and the work loses momentum.
That is why we tie every identified gap to a recommended action, a priority and a next step. The goal of the gap analysis is to identify and prioritise areas for improvement based on risk, in order to strengthen and further develop your information security management system – not to become a standalone report produced only for audits or supervision.
A starting point, not a one-off effort
A gap analysis is often the beginning of more long-term work. New requirements, changes in the business, new systems, incidents and audits can all mean the current state needs to be reassessed.
Done right, the analysis gives you a clearer grip on where you stand and what it takes to move forward.
Do you want to know where you actually stand against the Swedish Cybersecurity Act/NIS2, CRA, GDPR or ISO 27001? Contact us and we will start with a conversation about your current state.
Real-world examples are available among our reference cases – for example an independent review of IT and security.
This is an overview and not legal advice. Every organisation needs to be assessed based on its own operations, systems and requirements.

