Calculate your compliance score, analyze control implementation gaps, estimate remediation costs, and assess audit readiness for frameworks like SOC 2, ISO 27001, HIPAA, GDPR, PCI-DSS, and NIST CSF.
Trust Services Criteria for security, availability, confidentiality, processing integrity, and privacy
Typical Controls: 64
High-risk gaps that could block certification
You might also find these calculators useful
Calculate risk severity scores using ISO 27001 and NIST frameworks
Assess third-party vendor security and compliance risk
Estimate GDPR penalties based on violation type and circumstances
Estimate the financial impact of a data breach
Preparing for a compliance audit requires understanding where you stand. Our Compliance Gap Calculator helps you assess your current control implementation, identify gaps, estimate remediation costs, and determine your audit readiness for major frameworks including SOC 2, ISO 27001, HIPAA, GDPR, PCI-DSS, and NIST CSF.
Compliance gap analysis is a systematic process of comparing your current security controls and practices against the requirements of a compliance framework. It identifies missing controls (gaps), partially implemented controls, and areas where documentation or evidence is insufficient. The goal is to create a roadmap for achieving and maintaining compliance with regulatory or industry standards.
Compliance Score Formula
Score = (Fully Implemented + 0.5 × Partial) / Total Controls × 100%Identify deficiencies before auditors do. Understand exactly what needs to be remediated and how long it will take to achieve certification.
Estimate remediation costs accurately. Justify compliance investments to leadership with data-driven projections.
Focus resources on critical gaps first. Not all controls are equally important - prioritize those with the highest security impact.
Measure compliance improvement over time. Regular gap assessments help track remediation progress and maintain momentum.
SOC 2 Type I examines control design at a point in time, while Type II tests control operating effectiveness over a period (usually 6-12 months). Type II requires demonstrating that controls not only exist but have been consistently followed.
SOC 2 has ~64 Trust Services Criteria, ISO 27001:2022 has 93 Annex A controls, HIPAA has ~75 implementation specifications, GDPR has ~50 requirements, PCI-DSS v4.0 has 64 requirements with ~300 sub-requirements, and NIST CSF 2.0 has 108 subcategories.
Timeline varies by framework and current maturity. First-time SOC 2 typically takes 6-12 months, ISO 27001 certification 12-18 months, and HIPAA compliance 6-12 months. Factors include organization size, existing controls, and resource availability.
Critical gaps are missing controls that pose significant risk and often block certification. Examples include: lack of MFA, missing encryption at rest/transit, no formal incident response plan, absent access reviews, or inadequate logging and monitoring.
Average costs per control vary: $2,500-5,000 for technical controls (tools, configuration), $1,500-3,000 for policy/procedure controls, and $5,000-15,000 for controls requiring new infrastructure or significant process changes. Audit costs range from $15,000-50,000+.
Yes, control mapping is a best practice. Many controls satisfy multiple frameworks - for example, access management controls apply to SOC 2, ISO 27001, HIPAA, and PCI-DSS. Unified control frameworks like UCF or SCF help identify these overlaps.