Skip to content

Gap Analysis

Policy Gap Analysis & Assessment | McLean Risk

Policy Gap Analysis and Assessment

Find what’s missing—fast
Mind the execution gap

A practical assessment of policy/procedure coverage, control clarity, and evidence – ranked by risk and effort.

What you get FAQ

What this solves

A gap analysis compares what should be happening on paper with what is actually happening in practice. The output is a prioritized list of mismatches with practical remediation options.

This is diagnostic and improvement-focused—not a ceremonial “score.” If the result doesn’t change decisions, it’s wasted work.

Common signals

  • Audits find the same issues repeatedly even after “procedure updates.”
  • Evidence is inconsistent (people can’t prove controls ran).
  • Policies exist, but they don’t translate into actionable steps.
  • Multiple repositories or local copies cause contradictory guidance.
  • Ownership is unclear, so updates stall or happen informally.

How the work runs

We keep this practical: sample, map, document, and rank—then convert findings into a backlog.

1) Scope + sampling plan

Pick high-risk domains and high-volume processes first.

2) Document review

Assess structure, ownership, controls, evidence, and consistency.

3) Process walk-throughs

Document how teams describe current-state execution and decision points.

4) Traceability mapping

Tie requirements to steps and evidence artifacts.

5) Gap classification

Categorize gaps by impact, likelihood, and remediation effort.

6) Prioritized roadmap

Convert gaps into an executable remediation backlog template with suggested sequencing. Execution remains client-led.

What you get

The goal is a clear plan, not a pile of observations.

Gap summary report

Findings with examples and supporting observations.

Impact vs effort matrix

A prioritization view executives can understand quickly.

Remediation backlog

Owner, due date, and recommended fix per gap.

Governance improvement options

Documented governance adjustment options for client consideration.

Template improvements and drafting guidance

Avoid reintroducing the same issues in new documents.

Quick wins list

Fixes you can implement in days, not quarters.

Quick self-check

If these are true, a gap assessment will usually produce fast value.

  • You don’t have a reliable policy/procedure inventory with owners and review dates.
  • You can’t trace key controls to evidence artifacts consistently.
  • Teams disagree on “the latest version” of critical procedures.
  • Exceptions are informal or undocumented.
  • A “procedure update” is the default response to audit findings—even when the issue is execution.

FAQ

Is this an audit?

No. This is improvement-focused diagnostic work designed to prevent audit findings and reduce operational risk.

Will you assign our final risk ratings?

No. McLean Risk provides observations and prioritization options. Final risk ratings and commitments remain with the client.

Can you do this without disrupting operations?

Yes. Most work is document review and short interviews, with selective walk-throughs for confirmation.

Can this include CMMC Level 1 documentation?

Yes. The same methods apply: scope, map requirements, document evidence expectations, and identify gaps.