Gap Analysis is the process where by we assess your current setup and identify any missing pieces that need to be in place before you begin collecting evidence for your audit. It helps you understand how ready your company is for compliance and what actions you need to take to close any “gaps” in your systems, processes, or integrations.

During Gap Analysis, Scy AI scans your workspace and uses data from your connected tools to determine whether key controls are properly implemented. It’s your first opportunity to make sure everything is aligned with your audit requirements.

Before you start gathering evidence, it’s crucial to know if your systems meet the baseline audit requirements.

Gap Analysis helps you:

In short, Gap Analysis gives you a clear picture of where your company currently stands and what needs to be improved before moving forward.

You can begin your Gap Analysis once you’ve completed the following key five steps in your onboarding checklist:

These steps provide Scy AI with the context and access it needs to properly scan your workspace. Without this setup, the analysis can’t be performed accurately.

Each section of the Gap Analysis focuses on a key area of your compliance setup. Here’s what to expect and what you’ll need to do:

Scy AI checks whether your source control (e.g., GitHub, GitLab, Bitbucket, or Azure DevOps) is connected. It then runs automated tests on the relevant monitorings to verify that automated checks and code reviews are properly enforced.

If everything looks good, you can move on. If an issue is detected, you’ll be prompted to review it and fix it directly - Scytale will guide you to the exact monitoring that needs attention.

What to do:
Ensure your source control tool is connected, review any flagged issues, and make sure automated checks and code reviews are in place.

Scy AI checks if your vulnerability scanning integration is connected and running correctly. It tests related monitorings to ensure your organization is detecting, reviewing, and resolving vulnerabilities as required.

If issues are found, Scytale will guide you to fix them in your Control Center.

What to do:
Ensure your vulnerability scanning tool is connected and make sure critical and high vulnerabilities are reviewed and resolved regularly.

You’ll be asked about your employee onboarding and offboarding processes.
This helps confirm that your HR activities are properly documented and aligned with compliance standards.

What to do: Review your HR processes or use Scytale templates to ensure that all documentation is complete and up to standards.

You’ll be asked whether you plan to use Scytale’s Penetration Testing service or an external one. Penetration testing is required for your audit, as it validates your system’s security posture.

What to do: Request or confirm your penetration test so it’s completed before your audit period.

If you’re undergoing a SOC 2 audit, with availability in scope, you may be asked whether you track support ticket response times. This demonstrates that your service remains available and reliable.

What to do: Ensure you’re tracking response times for customer support tickets.

If you’re undergoing a SOC 2 audit, with availability in scope, you may be asked whether you track uptime for your product or service. This verifies system reliability and supports the availability trust principle.

What to do: If uptime tracking isn’t set up, start recording it using your monitoring tool of choice.