LibraryDocumentsGap Analysis Procedure
DOCUMENT 05 · MODULE

Gap Analysis Procedure

Three stages, in order: contextualize each risk across the four deployment archetypes, map relevant controls (Direct / Indirect / Fails), then score current and target maturity for applicable controls.

3 stagesD / I / FMIL 0–3

Three stages, in order

The gap analysis utilizes a structured three-stage procedure to contextualize, map, and score controls using the bent C2M2 criteria. Each stage produces an analytical artifact that feeds the next stage; only controls deemed directly or indirectly applicable in Stage 2 proceed to Stage 3.

Stage 1 · Contextualizing risk across deployment archetypes

The analysis begins by defining each risk scenario within the operational context of the four LLM adoption archetypes. Assuming the organization inherently possesses mature corporate governance, this stage models how each of the eight risk domains would most probably emerge within each specific archetype by outlining the probable Event, Cause, and Consequence involved.

This contextualization is necessary because a singular risk — such as data leakage — manifests entirely differently when an employee pastes text into a public web interface (Direct archetype) versus when a retrieval-augmented generation pipeline accidentally pulls restricted internal documents (Application archetype). Different manifestations require different control settings.

Output of Stage 1

An indexed set of risk scenarios, one per risk-domain × archetype pair — eight domains × four archetypes = 32 contextualized scenarios.

Stage 2 · Mapping the baseline

In the second stage, each contextualized LLM risk scenario is mapped against the relevant organizational and technical controls defined in ISO 27002:2022. The analytical objective is to evaluate relevancy. Each control is assessed to determine whether it addresses the LLM-specific risk:

For example, traditional network segmentation (ISO 27002 control 8.22) may be highly applicable to protecting on-premise databases, but it is structurally irrelevant to preventing a prompt injection attack executed through a legitimate external API call. Only controls deemed directly or indirectly applicable proceed to the maturity evaluation in Stage 3.

Stage 3 · Assessing control maturity

For controls deemed directly or indirectly applicable, maturity is assessed using the adapted C2M2 MIL scale (0–3). The assessment follows a dual progression: Approach (the completeness of the practice) and Management (the institutionalization of the practice). To ensure analytical rigor, the assignment of these MIL scores is guided by the four qualitative criteria:

Each applicable control receives a Current MIL (the as-is state for the simulated 1009 LTD baseline) and a Target MIL (the required to-be state for safely operating under the given archetype). The difference is the capability gap that feeds the Priority Quota calculation.

End-to-end flow

StageInputOperationOutput
1. Contextualize 8 risk domains × 4 archetypes Cause, Event, Consequence statement per pair 32 contextualized scenarios
2. Map baseline 32 scenarios × 70 ISO 27002 controls D/I/F relevancy classification Applicable control set per scenario
3. Assess maturity Each applicable scenario-control pair MIL 0–3 (current & target), guided by 4 criteria Capability gap per pair
PreviousMaturity model