Three stages, in order
The gap analysis utilizes a structured three-stage procedure to contextualize, map, and score controls using the bent C2M2 criteria. Each stage produces an analytical artifact that feeds the next stage; only controls deemed directly or indirectly applicable in Stage 2 proceed to Stage 3.
Stage 1 · Contextualizing risk across deployment archetypes
The analysis begins by defining each risk scenario within the operational context of the four LLM adoption archetypes. Assuming the organization inherently possesses mature corporate governance, this stage models how each of the eight risk domains would most probably emerge within each specific archetype by outlining the probable Event, Cause, and Consequence involved.
This contextualization is necessary because a singular risk — such as data leakage — manifests entirely differently when an employee pastes text into a public web interface (Direct archetype) versus when a retrieval-augmented generation pipeline accidentally pulls restricted internal documents (Application archetype). Different manifestations require different control settings.
An indexed set of risk scenarios, one per risk-domain × archetype pair — eight domains × four archetypes = 32 contextualized scenarios.
Stage 2 · Mapping the baseline
In the second stage, each contextualized LLM risk scenario is mapped against the relevant organizational and technical controls defined in ISO 27002:2022. The analytical objective is to evaluate relevancy. Each control is assessed to determine whether it addresses the LLM-specific risk:
- Directly — the control addresses the LLM risk in a meaningful way under the given archetype.
- Indirectly — the control provides partial or incidental protection that may be useful but is not aimed at the specific LLM risk pathway.
- Fails — the control is structurally irrelevant to the LLM risk under the given archetype.
For example, traditional network segmentation (ISO 27002 control 8.22) may be highly applicable to protecting on-premise databases, but it is structurally irrelevant to preventing a prompt injection attack executed through a legitimate external API call. Only controls deemed directly or indirectly applicable proceed to the maturity evaluation in Stage 3.
Stage 3 · Assessing control maturity
For controls deemed directly or indirectly applicable, maturity is assessed using the adapted C2M2 MIL scale (0–3). The assessment follows a dual progression: Approach (the completeness of the practice) and Management (the institutionalization of the practice). To ensure analytical rigor, the assignment of these MIL scores is guided by the four qualitative criteria:
- Coverage and specificity govern the Approach progression.
- Operationalizability and adaptability govern the Management progression.
Each applicable control receives a Current MIL (the as-is state for the simulated 1009 LTD baseline) and a Target MIL (the required to-be state for safely operating under the given archetype). The difference is the capability gap that feeds the Priority Quota calculation.
End-to-end flow
| Stage | Input | Operation | Output |
|---|---|---|---|
| 1. Contextualize | 8 risk domains × 4 archetypes | Cause, Event, Consequence statement per pair | 32 contextualized scenarios |
| 2. Map baseline | 32 scenarios × 70 ISO 27002 controls | D/I/F relevancy classification | Applicable control set per scenario |
| 3. Assess maturity | Each applicable scenario-control pair | MIL 0–3 (current & target), guided by 4 criteria | Capability gap per pair |