The main thing to ensure in any compliance gap analysis is that the scope is understood by both you -- the stakeholders and any other people involved in the compliance processes. To do this you'll need to establish:
- The relevant stakeholders for the analysis.
- The systems, people and processes that are going to be included in the review.
- The detailed requirements against which the gap analysis is to be performed.
One of the key problems in many gap analyses is often getting time in people's diaries for interviews. I find that it helps to first email potential interviewees with a clear statement of the purpose of the interview and the topics that will be covered.
No matter how many steps you take to prepare for the analysis, there is no substitute for knowing the requirements in detail. Also keep in mind that interviews have a habit of going in different directions, so you need to thoroughly understand the metrics being applied in order to gain the required information during the limited interview time available.
This was first published in January 2010