Gap Analysis
Requirement coverage, gaps, exceptions, and the review model teams use to judge audit readiness honestly.
Scope
Gap analysis is one of the fastest ways to tell whether a compliance program is converging or just accumulating artifacts. This public page keeps the working review model and removes route-level detail.
SSOT Document — Single Source of Truth Audience: System operators, IT administrators, L1/L2 support staff Last Updated: 2026-04-15
Overview
Gap Analysis is the primary audit-readiness view. For each framework bound to a compliance program, it shows which requirements are covered by controls, which are only partially covered, which have no coverage, and which have active exceptions. The summary KPIs give you an at-a-glance coverage percentage across all frameworks.
Getting Started
Prerequisites
Meridian.viewpermission.- A compliance program with at least one framework bound.
- Controls mapped to framework requirements (via Control > Requirement Mappings).
Using Gap Analysis
Viewing the Gap Analysis
Steps: 1. Navigate to a compliance program. 2. Click Gap Analysis in the program navigation.
Result: The page displays: - Summary KPIs at the top: total requirements, covered, partially covered, not covered, excepted, and overall coverage percentage. - Framework sections below, each expandable to show individual requirements.
Understanding Coverage Status
Each requirement shows a status icon:
| Icon | Status | Meaning |
|---|---|---|
| Green check | Covered | At least one control with full coverage is mapped |
| Yellow circle | Partially Covered | Only partial-coverage mappings exist |
| Red X | Not Covered | No control is mapped to this requirement |
| Gray dash | Excepted | An active exception exists |
Filtering Results
Use the filter bar above the framework list:
- Framework: Filter to a single framework.
- Category: Filter by requirement category (e.g.,
CC1 — Common Criteria).
Filters are reflected in the URL query parameters, so you can bookmark or share filtered views.
Drilling Into Requirements
Steps:
1. Click a framework header to expand or collapse its requirement list.
2. Each requirement row shows:
- Reference ID (e.g., CC1.1)
- Title
- Category
- Coverage status
- Mapped controls (with control reference, title, and coverage level)
3. Click View Controls link in the header to jump to the Controls page filtered by program.
Improving Coverage
Scenario: Close Coverage Gaps Before an Audit
Situation: The gap analysis shows 15 requirements as “Not Covered” before your SOC 2 audit.
Steps: 1. Filter by coverage status = Not Covered. 2. For each uncovered requirement, determine whether an existing control addresses it. 3. If yes: go to the control and add a requirement mapping. 4. If no: create a new control, configure it, and map it to the requirement. 5. Re-open gap analysis to verify the requirement now shows as covered.
Scenario: Handle Requirements You Cannot Meet
Situation: A requirement does not apply to your environment.
Steps: 1. Navigate to the control associated with the requirement. 2. Create a Control Exception for the requirement with a justification. 3. Re-open gap analysis. The requirement now shows as Excepted with a gray dash.
Scenario: Coverage Percentage Seems Wrong
Situation: You mapped controls but coverage percentage did not change.
Steps:
1. Verify the control-requirement mapping has coverage: "full" (not "partial").
2. Verify the control belongs to the same program as the gap analysis.
3. If you recently changed a framework binding, reload the page.
Permissions Reference
| Permission | Grants |
|---|---|
Meridian.view |
View gap analysis for any accessible program |
Related Documentation
- functional/gap-analysis.md — API endpoint, coverage logic, response schema
- manual/controls.md — control management and requirement mappings
- manual/programs.md — compliance program setup and framework binding