Compliance Scanner & Gap Analysis
The Compliance Scanner maps your existing policies against recognised regulatory and industry frameworks, giving you an instant view of where you stand and what you're missing. Instead of manually cross-referencing spreadsheets, the scanner automates the entire gap analysis process in seconds.
1. What the scanner does
The scanner analyses every published policy in your organisation and matches its content against the controls and requirements defined by your chosen framework. It produces three key outputs:
- Coverage percentage — the proportion of framework controls that are addressed by at least one of your published policies
- Gap list — the specific controls or requirements that are not covered by any existing policy
- Control mapping — a detailed breakdown showing which policies map to which controls, so you can verify accuracy and avoid duplication
The scanner uses your policy content and framework tags to build these mappings. Policies that are tagged with the relevant framework will be matched first, followed by content-based analysis of untagged policies.
2. How to run a scan
Running a compliance scan takes just a few clicks:
- Navigate to Compliance > Scanner in the left sidebar
- Select the framework you want to scan against from the dropdown (e.g. ISO 27001, SOC 2 Type II, GDPR)
- Click Run Scan
- The scan typically completes within a few seconds, depending on the number of published policies in your organisation
You can run scans against multiple frameworks — each scan is saved independently, so you can compare your posture across different regulatory requirements at the same time.
3. Reading your results
After a scan completes, you'll see a results dashboard with several sections:
- Coverage score — displayed as a percentage at the top of the page. Aim for 100%, but anything above 80% is a strong starting point for most frameworks.
- Gaps identified — a list of framework controls that have no matching policy. Each gap shows the control ID, description, and risk priority (high, medium, or low).
- Mapped controls — the full list of controls that are covered, along with the specific policies that address them. Click any control to jump directly to the mapped policy.
You can export the full scan report as a PDF for sharing with auditors, leadership, or external assessors. The export includes the scan date, framework version, and a complete control-by-control breakdown.
4. Acting on gaps
Once you've identified gaps, there are two ways to close them:
- Browse the Policy Store — click the Browse Store button next to any gap to see available policy templates that address that specific control. You can purchase and deploy a template in minutes.
- Write a custom policy — if no template fits your needs, click Create Policy to start a new draft. The gap details (control ID and description) are pre-filled in the framework tags to ensure the new policy maps correctly on your next scan.
Prioritise gaps by risk level. High-risk gaps — typically those related to data protection, access control, and incident response — should be addressed first. Medium and low-risk gaps can be scheduled into your regular policy review cycle.
5. Supported frameworks
PolicySuite supports 110+ compliance frameworks across eight jurisdictions:
- United Kingdom — Cyber Essentials, Cyber Essentials Plus, UK GDPR, ICO guidance, FCA regulations
- European Union — EU GDPR, NIS2 Directive, DORA, EU AI Act
- United States — SOC 2, NIST CSF, NIST 800-53, HIPAA, PCI-DSS, CMMC, FedRAMP
- Australia — Essential Eight, Australian Privacy Act, APRA CPS 234
- Canada — PIPEDA, OSFI B-13, Canadian Anti-Spam Legislation
- Singapore — PDPA, MAS TRM, Cyber Security Act
- Switzerland — FADP (nDSG), FINMA guidelines
- International — ISO 27001, ISO 27701, ISO 22301, ISO 9001, CIS Controls
New frameworks are added regularly. If you need a framework that isn't listed, contact us at support@policy-suite.com and we'll prioritise it.
Still need help?
Email our support team at support@policy-suite.com — we typically respond within 24 hours.