Cross-industry
Compliance gap analysis template (multi-standard)
A multi-standard compliance gap-analysis template — one rubric for ISO 9001, 13485, 27001, 14001, 45001, EU AI Act, GDPR. Severity, evidence, action plan.
- ISO 9001
- ISO 27001
- ISO 13485
- GDPR
A compliance gap analysis tells you the distance between where you are and where a standard or regulation says you must be. This template gives you one rubric that works across ISO management-system standards (9001, 13485, 14001, 27001, 45001), regulatory frameworks (EU AI Act, GDPR, EAA / EN 301 549), and customer-imposed schemes. Run it before certification, before regulatory enforcement deadlines, or after a major organisational change.
When a gap analysis pays off
- Before pursuing a new certification.
- After scope expansion (new product, new geography, new acquisition).
- After a major restructure or system change.
- Twelve weeks before a known enforcement deadline (EAA, AI Act, GDPR enforcement actions).
- Following a customer audit finding.
- As input to the management review under ISO 9001 clause 9.3.
Rubric
For each requirement (clause, article, or control), record:
| Field | Definition |
|---|---|
| Source | The standard or regulation reference (e.g., “ISO 9001:2015 §7.5”). |
| Requirement | A short paraphrase of what the source asks. |
| Applicability | Yes / No / Partial / Not in scope. |
| Current state | What you do today, with evidence. |
| Evidence reference | Document or system identifier. |
| Gap | What is missing or insufficient. |
| Severity | Critical / High / Medium / Low. |
| Owner | Named role or person. |
| Action | What will be done. |
| Effort | S / M / L / XL, order-of-magnitude. |
| Target date | When the gap is closed. |
| Status | Open / In progress / Verified / Accepted. |
| Verification | Evidence that the action closed the gap. |
The fields are deliberately flat. Multi-level scoring rubrics look sophisticated but slow the analysis down without improving outcomes.
Severity definitions
| Severity | Definition | Default response |
|---|---|---|
| Critical | Statutory non-compliance; certification blocker; material harm risk. | Address before next milestone. |
| High | Significant non-conformity in audit; customer SLA breach risk. | Address within current cycle. |
| Medium | Procedural gap; auditor will raise observation. | Schedule. |
| Low | Improvement opportunity; auditor unlikely to raise. | Backlog. |
Calibrate severity against your auditor’s grading vocabulary if you have an existing relationship, major / minor / OFI.
Source-pack-by-standard cheat sheet
A starting point for which clauses to load into the rubric.
ISO 9001:2015
Clauses 4 through 10. Common implementation gaps cluster around 4.1 (context), 4.2 (interested parties), 6.1 (risk and opportunity), 7.5 (documented information), 9.2 (internal audit), 9.3 (management review), 10.2 (corrective action).
ISO 13485:2016
ISO 13485 inherits the management-system spine and adds medical-device specifics: 7.3 design and development with formal verification and validation, 7.5.5 sterile barrier systems where applicable, 7.5.9 traceability, ISO 14971 risk management linkage, post-market surveillance.
ISO 27001:2022
Clauses 4 to 10 plus Annex A controls (93 controls in the 2022 revision, reorganised into 4 themes: organisational, people, physical, technological). Common gaps: A.5.7 threat intelligence, A.5.23 cloud-service security, A.8.10 information deletion, A.8.28 secure coding.
ISO 14001:2015
Environmental management. Highlights for gap analysis: 4.2 interested parties (regulators and affected communities), 6.1.2 environmental aspects, 6.1.3 compliance obligations, 8.2 emergency preparedness.
ISO 45001:2018
Occupational health and safety. Highlights: 5.4 worker consultation and participation, 6.1.2 hazard identification, 8.1.3 management of change, 8.2 emergency preparedness.
EU AI Act (Regulation (EU) 2024/1689)
Article 9 risk management, Article 10 data and data governance, Article 11 technical documentation, Article 13 transparency to deployers, Article 14 human oversight, Article 15 accuracy / robustness / cybersecurity, Article 17 quality management system, Article 18 record-keeping, Article 26 deployer obligations (if you also act as deployer), Article 50 transparency to natural persons, Article 72 post-market monitoring, Article 73 incident reporting.
Application timetable per Article 113: prohibitions Article 5, 2 February 2025; general-purpose AI obligations, 2 August 2025; bulk of high-risk provisions including Article 17, 2 August 2026; Annex II (existing sectoral safety-component) high-risk classification, 2 August 2027.
GDPR
Article 5 principles, Article 6 lawfulness, Article 9 special categories, Article 12 to 23 data-subject rights, Article 25 data protection by design and by default, Article 30 record of processing activities, Article 32 security, Article 33 breach notification, Article 35 DPIA, international transfers under Chapter V.
EN 301 549 / European Accessibility Act
EN 301 549 sections 4 (functional performance), 5 (generic requirements), 6, 7, 8 (hardware), 9 (web), 10 (non-web software), 11, 12, 13. EAA enforceable from 28 June 2025 for products and services in scope.
Workflow
- Load the source pack for the standard(s) in scope.
- Walk the requirements with each process owner. Capture current state and evidence references in the rubric.
- Grade severity against the rubric.
- Compile actions into a prioritised plan with owners and target dates.
- Communicate the result to top management, this is your input to the management review.
- Track in the same system that tracks corrective actions; a parallel tracker drifts.
- Review quarterly until all critical and high gaps are verified closed.
Common pitfalls
- Treating it as a one-time exercise. Standards revise; regulations expand; gaps reopen.
- Compiling gaps without owners. Without a named owner, gaps stay open.
- Over-engineering the rubric. A 25-column scoring system slows the analysis and produces a false sense of precision.
- Skipping evidence references. The auditor will ask. The rubric must point to documented information.
- Ignoring “accepted” gaps. Accepted gaps need a review trigger and a date. Otherwise they become permanent.