54 lines
1.5 KiB
Markdown
54 lines
1.5 KiB
Markdown
---
|
||
title: "Gap Assessment"
|
||
type: concept
|
||
tags: []
|
||
sources: [compliance-auditor]
|
||
last_updated: 2026-04-30
|
||
---
|
||
|
||
# Gap Assessment
|
||
|
||
## Definition
|
||
|
||
差距评估(Gap Assessment)是对照目标合规框架(如 SOC 2、ISO 27001)要求,系统性地评估组织当前安全态势与目标状态之间差距的分析过程。
|
||
|
||
## Core Components
|
||
|
||
### 标准格式(ComplianceAuditor 定义)
|
||
每个差距发现必须包含:
|
||
1. **控制引用(Control Reference)**:框架中对应的控制项编号(如 CC6.1)
|
||
2. **当前状态(Current State)**:组织现有的实际状态
|
||
3. **目标状态(Target State)**:满足控制要求的目标状态
|
||
4. **修复步骤(Remediation)**:具体可执行的修复行动
|
||
5. **估算工作量(Effort)**:预计完成所需时间
|
||
6. **优先级(Priority)**:基于风险和审计时间线的优先级
|
||
|
||
### 评分标准
|
||
- **Ready (100/100)**:完全满足要求
|
||
- **Partial**:部分满足,存在差距
|
||
- **Non-Compliant**:完全不满足要求
|
||
|
||
## Deliverable Format
|
||
```markdown
|
||
## Gap Assessment Report
|
||
|
||
**Assessment Date**: YYYY-MM-DD
|
||
**Target Certification**: SOC 2 Type II
|
||
**Audit Period**: YYYY-MM-DD to YYYY-MM-DD
|
||
|
||
## Executive Summary
|
||
- Overall readiness: X/100
|
||
- Critical gaps: N
|
||
- Estimated time to audit-ready: N weeks
|
||
|
||
## Findings by Control Domain
|
||
```
|
||
|
||
## Related Concepts
|
||
- [[SOC 2]]:主要目标框架
|
||
- [[Continuous Compliance]]:评估完成后的持续监控机制
|
||
- [[Evidence Collection]]:差距修复后需要收集的证据
|
||
|
||
## Related Sources
|
||
- [[compliance-auditor]]
|