Running a gap analysis

Open a framework from the Frameworks page. The detail view shows each section (e.g. NIST CSF functions, ISO 27001 clauses, FedRAMP control families) with:

• Total controls mapped into that section (count from control_framework_map)
• How many of those are marked implemented
• Compliance % for the section

To close a gap: 0% means no controls have been mapped to that section yet. Either map an existing control from the Controls library, or create a new one that covers the section's intent, then mark it implemented once you've actually done the work.

The 9 built-in frameworks (NIST CSF 2.0, ISO 27001:2022, Cyber Essentials, SOC 2, CIS v8, PCI-DSS 4.0, GDPR, HIPAA, FedRAMP) are seeded automatically into every tenant, with section hierarchies (top-level + subcategories for the major ones).