Skip to content
← Blog & Education · compliance 7 min read

From gap analysis to remediation you can actually track

A framework assessment tells you where you stand. Talarity's Gap Analysis turns that score into a prioritized, quantified plan — quick wins, critical fixes, and one-click remediation work items your team owns and tracks to closure.

By The Talarity team · June 17, 2026

A completed assessment gives you a number. “We’re at 23%.” Useful for a board slide, useless for a Monday morning — because a score doesn’t tell you what to do first, how much each fix is worth, or who owns it. Most teams export the gaps to a spreadsheet, rank them by gut feel, and lose the thread by the next quarter.

Talarity’s Gap Analysis closes that loop. It reads your latest completed assessment, scores every safeguard against a target maturity, and turns the shortfall into a prioritized, quantified remediation plan — separating the quick wins from the critical work, projecting the score impact of each tier, and letting you spin any gap into a tracked, owned work item in one click. The line from “we scored 23%” to “here is the owned work that gets us to 89%” is unbroken.

This is the part auditors actually press on: SOC 2 CC4.2 (evaluating and communicating deficiencies), ISO 27001 Clause 6.1/10.1 (treatment of risks and nonconformities), and the NIST RMF Assess → Authorize step all assume the gaps drive a plan of action. Here is how it works.

Who this is for

  • Compliance lead — turns an assessment score into a defensible, prioritized program of work.
  • Security owner — gets the gaps quantified by impact so the team fixes the highest-value things first.
  • Auditor — sees an unbroken line from assessment shortfall to remediation work item to closure.

What’s on the page

Open Gap Analysis (/app/gap-analysis):

  • Framework + account selector — picks which latest completed assessment to read; no re-keying or export.
  • Executive KPIsOverall Score, Total Gaps, the Critical count, available Quick Wins, and Target Coverage.
  • Priority gap list — gaps ordered by severity, each drillable to the requirement, current state, and recommended action.
  • One-click “create work item” — turns a gap into tracked remediation that lands in a real remediation plan (/app/remediation-plans/:id).

Step 1 — Open Gap Analysis

Gap Analysis (/app/gap-analysis) reads the latest completed assessment for the framework and account you select — no re-keying, no export. The top of the page is the executive read: an Overall Score, Total Gaps, the Critical count, available Quick Wins, and Target Coverage.

The Gap Analysis overview for a CIS Controls v8.1 assessment — Overall Score 23%, 43 total gaps, 28 critical, 15 quick wins, and target coverage 13 of 56 safeguards at Level 5, with a Score Overview gauge and a per-domain breakdown.

The bar everything is measured against is explicit: Target: CIS IG1 (56 safeguards) at Level 5, the system default. The Domain Breakdown on the right ranks the 18 CIS control domains so you can see at a glance which areas — Malware Defenses, Account Management — are pulling the score down.

The target is the whole game. A gap is a distance from a bar, so the bar decides what counts. Talarity defaults to the framework’s own implementation group (IG1) and full maturity, but you set the realistic target for your organization — measure against the maturity you’re actually committing to, not an aspirational one you’ll never staff.

Step 2 — Read the projections before you touch anything

Before you assign a single task, the Score Projections answer the question every remediation effort should start with: what is each tier of work actually worth? Talarity models three scenarios off your current gaps.

Score Projections estimating the score improvement from each tier of work — fixing the Quick Wins lifts the score to 33.7%, closing Critical + High gaps reaches 89.3%, and full remediation reaches 100%.

  • Quick Wins → 33.7%. The low-effort, already-mostly-there safeguards. Closing just these lifts the score by more than ten points.
  • Critical + High → 89.3%. The work that moves the needle — the gaps that are both severe and far from target.
  • Full Remediation → 100%. Everything, for when the target is non-negotiable.

This is what turns “we have 43 gaps” into a sequencing decision. The quick wins are cheap score; the critical-and-high tier is where the real coverage lives. You plan the order before you spend anyone’s week on it.

Step 3 — Work the priority gap list

Below the projections is the Priority Gap List — every gap, ranked, with the levers to slice it. The summary chips break the 43 gaps down: 28 Critical, 3 Medium, 12 Low, and 15 Quick Wins flagged across them.

The Priority Gap List — filter chips for severity (Critical 28, Medium 3, Low 12), domain, and type (Below Threshold, Unanswered, Quick Wins Only), with gaps sorted by priority, each showing its control ID, severity badge, current score and target.

The filters are how a real remediation sprint gets scoped:

  • Severity — pull just the Critical gaps for the must-fix list.
  • Domain — hand the Account Management gaps to the team that owns identity.
  • TypeBelow Threshold (answered but short of target), Unanswered (never assessed), or Quick Wins Only to build a fast-confidence first sprint.

Each row leads with its control ID and severity badge, the current score, and the distance to target — sorted by a priority that blends severity with how far the gap sits from the bar.

Step 4 — Drill into a gap

Click any gap and it expands in place — no context switch. You get the safeguard’s Implementation Guidance and a row of actions that are the actual exits from analysis into work.

An expanded critical gap (3.1, data management process, currently Level 1 against a Level 5 bar) showing its Implementation Guidance and the action row: Create Risk, Create Remediation, Link Evidence, Reclassify, View Details.

The guidance is the framework’s own language for what “done” looks like — for safeguard 3.1 that’s establishing a data management process covering sensitivity, ownership, handling, retention, and disposal. The action row is where you decide what this gap becomes:

  • Create Risk — register it as a tracked risk when the gap is really an exposure to manage.
  • Create Remediation — spin it into a work item your team owns and closes.
  • Link Evidence — attach the artifact that proves the safeguard is met (and may re-score it).
  • Reclassify — mark it Not Applicable with a justification, or adjust its bar.

Don’t treat every gap the same. A quick win wants a remediation work item and a due date. A structural gap you can’t close this quarter wants to become a risk you’re consciously accepting and monitoring. The action row lets you make that call gap by gap, instead of dumping all 43 into one undifferentiated backlog.

Step 5 — Turn a gap into tracked work, in one click

Pick Create Remediation on a gap and Talarity does the bookkeeping: it mints a remediation work item, pre-titled and described from the gap, and offers to open it so you can put an owner and a due date on it.

The "Remediation Created" confirmation — work item WI-00582 created from the gap, offering to open it now to assign an owner and set a due date.

Behind that one click, the work item is created at the right priority inherited from the gap’s severity, carries a description built from the gap’s domain and current-versus-target scores, and is attached to a remediation plan for its source — so a run of gap-driven fixes organizes itself into a plan rather than scattering loose tickets.

Step 6 — The work item lives in a real plan

Open the remediation and you land on a full work item, not a checkbox. It sits inside a remediation plan — gap-driven fixes group themselves into one plan rather than scattering as loose tickets — carries the gap’s text as its objective, and runs a real status pipeline: Backlog → In Progress → In Review → Done → Verified → Closed. The platform enforces the basics, like refusing to move an item to In Progress without an assignee.

That work item is where the fix becomes defensible. Its tabs carry a Checklist of the steps, Linked Entities back to the gap and assessment that produced it, Artifacts for the evidence, and a Verification step plus a full Audit Trail. When the item reaches Closed, you have a provable line from “we scored a gap on safeguard 3.1” to “here is the owned work, the evidence, and the sign-off that closed it” — which is exactly the thread CC4.2 and Clause 10.1 ask you to produce.

Where it ends

This workflow covers the assessment-score → gap → prioritized → remediation loop. A few adjacent doors, deliberately out of scope here:

  • The remediation plan workspace (/app/remediation-plans/:id) — milestones, approval chain, and progress rollup across many work items — has its own depth; the gap flow drops you a link to it.
  • Generating the whole GRC program from a completed assessment — the risks, work items, and KRIs a set of gaps implies, in one bulk review — is its own guide (the assessment that builds your GRC program for you).
  • Evidence gating — requiring an artifact before a high-maturity claim counts — is covered in the gated-assessment guide.

What you walk away with

  • An assessment score turned into a prioritized, quantified plan — quick wins, critical work, and the projected score impact of each.
  • Gaps that became owned, tracked remediation work items with a status pipeline, not spreadsheet rows.
  • A defensible CC4.2 / Clause 10.1 story: deficiency identified → prioritized → remediated → verified, with nothing lost between the score and the work.

Open Gap Analysis this afternoon, sort by Quick Wins, and turn the first one into a work item. The fastest points on the board are usually one click away — and the thread from gap to closure stays intact the whole way.

Loading…

See Talarity in action.

A 30-minute walkthrough or a 7-day trial — your call.