A gap analysis is a type of survey instrument that is used to determine the differences (gaps, also known as a ‘delta’) between an organization’s management system and the requirements of controlling criteria, such as standards like ISO 9001:2015.
A gap exists where existing policies, processes or procedures do not fully meet the stated requirements.
What follows is our definitive guide for how to conduct a Gap Analysis. It is geared towards ISO 9001, but can also be applied to ISO 14001, 45001, 27001 etc. You won't find a more detailed gap analysis process online anywhere. It's a long read - but includes all the steps necessary and everything you need to know about how to perform a gap analysis.
- What is a Gap Analysis?
- When To Do A Gap Analysis?
- What is a Gap Analysis Checklist?
- How to Conduct a Gap Analysis
- Benefits of a Gap Analysis
- Why Is a Gap Analysis Important?
- Using a Gap Analysis Checklist
- 1 Assigning Responsibilities
- 2 Create or Purchase a Gap Analysis Checklist
- 3 Scheduling the Gap Analysis
- 4 How to Perform a Gap Analysis
- 5 Reviewing & Reporting the Findings
- 6 Implementing Actions and Improving the QMS
- What Can Happen When a Gap Analysis Is Done Incorrectly?
- Gap Analysis Checklist & Template
A gap analysis is performed at the start of your ISO project. This is the first step in the process and should be performed as soon as your company has made the decision to become ISO certified.
It should not take place:
A gap analysis will help scope out the improvements you need to make in your current quality management system and will make the ISO paperwork easier for you.
A gap analysis checklist highlights and summarises the requirements contained in a standard – for example ISO 9001:2015; it is not intended to cover all of the requirements from the standard comprehensively, only an overview of them.
It is used to capture the gaps in your organization’s management system and the requirements of ISO 9001:2015, with the goal of determining:
Make sure that you purchase copies of ISO 9000:2015 and ISO 9001:2015. Read them both and make yourself familiar with their language and concepts. Although it is written in a dense, formal language, the clause titles in ISO 9001:2015 are fairly self-explanatory.
While the process to becoming ISO 9001 certified is complex, the process of running a gap analysis is considerably less complicated. There are six major steps in the process for completing a gap analysis of ISO 9001, you can read more about these steps in the next sections.
Your organization may already have in place a compliant quality management system or you might be running an uncertified system; the gap analysis checklist provides a structured framework to help assess the current status of your QMS in terms of fulfilling the requirements ISO 9001:2015.
After the gap analysis, you should have a clear picture of how your existing quality management system compares with the requirements of ISO 9001. In general, the steps for conducting a gap analysis are:
These differences and gaps should be organized into a detailed findings list, for review and approval by top management.
In summary, the gap analysis should include a review of all processes and procedures for management controls and technical controls, such as for sampling, method validation, equipment calibration, qualification and maintenance, employee qualifications, and others.
The unique knowledge obtained about the status your existing quality management system will be a key driver of the subsequent implementation approach.
Using the output of the gap analysis, you can develop a findings list and action plan, which can include additional tasks such as selecting and dealing with an accreditation or certification body.
Not only will a gap analysis template help you to identify the gaps, it will also allow you to recommend how those gaps should be filled.
Armed with this knowledge, it allows you to establish accurate budgets, timelines and expectations which are proportional to the state of your current management system when directly compared to the requirements of the standards.
The gap analysis output, in the form of a findings list, provides a valuable baseline for the implementation process as a whole and for measuring progress.
Try to understand each business process in the context of each of the requirements by comparing different activities and processes with what the standard requires.
At the end of this activity you will have a list of activities and processes that comply and ones that do not comply. The latter now becomes the findings list and the target of your action plan.
Now, that sounds like a lot of work when you could just skip straight to filling out the certification forms. Why bother with all those extra steps?
A gap analysis is important because it will highlight what areas are missing that your business needs to complete in order to qualify for ISO.
It is important to start with a gap analysis first in order to see what your company already does to meet the ISO requirements and what it needs to work on.
A gap analysis can help:
A gap analysis will help your business save valuable time. Instead of blindly stumbling through endless confusing paperwork, without knowing whether your business qualifies for ISO 9001 certification or not, use a gap analysis to determine where to begin in the paperwork process.
Save time by learning where your company falls short and improving those areas, before getting swamped in a sea of paperwork.
A gap analysis can also save your business money in the long run. Yes, it may cost money to hire a professional consultant, or to purchase a gap analysis checklist, or even to assign one of your own employees to perform the analysis. However, running a gap analysis will be less expensive even if its only time that you save.
Jumping headfirst into a mass of paperwork before properly preparing will only lead to wasted time, confusion, and frustration for whoever was assigned the task of filling out the paperwork. This loses time better spent in more productive, valuable areas.
After all, time is money, and that old adage is clearly shown when it comes to complicated paperwork.
A gap analysis can help you focus your energy. ISO 9001 has an intensive list of requirements that companies are required to uphold in order to become certified. Because it is a very involved list, it is easy to quickly become lost and focus on less relevant requirements.
With a gap analysis, your business is less likely to be running around spending resources on trying to fix areas that don’t need to be fixed and already fall into the ISO 9001 standards, while ignoring areas where your company needs improvement in following those standards. If your goals for improvement are too broad, a gap analysis can help you narrow them down.
Our gap analysis checklist is aligned with the requirements of ISO 9001:2015, and it is imperative that gap analysis is undertaken with due reference to the standard.
The gap analysis tool is divided into seven sections, which reflect the contents of ISO 9001:2015. The two gap analysis tools, Part A and Part B, provide a structured framework to assess the current status of a QMS in terms of fulfilling the ISO 9001 clauses:
Part A comprises the gap analysis checklist which is aligned with the clauses of ISO 9001 and provides comments and notes to assist users.
Part B comprises the gap analysis findings list which details the gaps and proposed remedial actions that are required to close the identified gaps between ISO 9001 and your current management system. The findings list then feeds an Action Plan.
Each question in the gap analysis checklist should be assessed by auditor for conformance to the requirements of ISO 9001, along with the auditor’s knowledge of your organization’s products, services, processes, and facilities; they will be able to make a judgement on conformity, using the criteria set out in the table below:
|Comply||Complies with stated requirements||The organization has objective evidence to support the question, and/or|
|The organization has a documented procedure or process|
|OFI||Improvement actions are needed to comply||The organization has objective evidence, but procedure or process needs improvement, and/or|
|The organization has objective evidence, but no documented procedure or process, and/or|
|The organization has a documented procedure, but is lacking some objective evidence to support the question|
|NC||Nonconformance||The organization has no objective evidence to support the question, and/or|
|The organization is lacking a documented procedure or process, and/or|
|The organization is lacking objective evidence to support compliance|
Who did you identify to conduct the gap analysis? In the ideal situation this person will also be the Management Representative since skills in project management and auditing are highly beneficial.
A gap analysis can be done by someone with less auditing experience, given that they are willing to learn and interpret the requirements of ISO 9001:2015, and are available to put the time in necessary to learn and understand the gap analysis process.
The people undertaking gap analyses exercises should be objective, be open minded, listen, communicate clearly and report fairly without bias, and familiar with the standard in order to perform an effective analysis. If your auditors have not been trained on the ISO 9001 requirements, be sure to provide training before performing the gap analysis.
Gap analysis exercises are often a time consuming, in depth process. Ideally, the person (or team) running the gap analysis will have experience in quality assurance and auditing. Whether or not you have an employee available with that kind of background of course depends on your company. If you are a small company without someone experienced in quality assurance to lead your gap analysis, do not despair!
Alternatively, there are professional ISO 9001 gap analysis consultants that may be hired to run the analysis for you. These professionals can greatly decrease the time spent on a gap analysis, compared to someone outside the ISO 9001 quality management field.
Though hiring one of these professional consultants may be more expensive than assigning one of your own employees to run the gap analysis, hiring a professional will save you a great deal of time in the long run.
The next step in the gap analysis process is to create or buy a gap analysis checklist.
A gap analysis checklist will lay out the requirements for ISO 9001 certification into a series of steps.
A checklist can help you stay on task and focus on the elements required for ISO 9001 certification. Having a checklist can help you navigate the requirements listed in the ISO 9001 form. There are two ways to obtain a gap checklist: write your own, or purchase a professionally written one.
If your business chooses to write its own checklist, it is recommended that you research existing gap analysis checklists before attempting to write your own.
Gap analysis checklists should be detailed and will often end up being a lengthy document, ours is 50 pages. Dig deep to make sure you hit all the important points, if you decide to write your own!
Purchasing a pre-existing checklist can:
A good gap checklist should be very detailed and be made up of a series of questions. It should summarize the all ISO 9001’s requirements.
View a sample of our Gap Analysis Checklist available to purchase.
Now that you have completed the preliminary steps, set up a date to conduct the analysis. Make sure that your employees know the date and time for the gap analysis, especially if you’ve hired a professional consultant.
The audit schedule should be approved by a member of your organization’s management before the start of the gap analysis cycle. When changes are made in timing, or auditors, records with justification for changes should be maintained.
Schedule the gap analysis, and communicate to all employees what is being done, and why. You will want to be able to make the employees comfortable with answering your auditor's questions.
You may want to consider sending out a newsletter to inform employees that the gap analysis will be performed, by whom, when and why the gap analysis is being performed.
Determine whether you intend to audit by process, procedure, or by area of the facility; our recommended approach is usually to audit by each area of the facility.
Divide the facility into manageable areas and schedule time to audit each section of the standard that applies to the area. If you are using an audit team, assign the team to cover the various areas of the facility.
Arrange your gap analysis checklists so each auditor will have the sections of the standard that are applicable in the areas of the facility they will cover.
Begin with the assumption that you are already doing most of what ISO requires, you probably are! Many people talk about the high cost of implementing management systems but this is a false assumption.
If you do it right and understand the standards, then implementation should not be a problem since 75% of your management system is already in place. Here are some initial review tasks to consider:
The consultant will be asking your employees questions about your quality management system (using the gap analysis checklist), so make sure your employees are prepared to answer questions.
If you have elected to do the gap analysis yourself, you should still let your employees know when you plan on conducting the analysis to ensure that they are at the top of their game and can answer the questions detailed in this gap analysis checklist.
Remember, the gap analysis focuses on the present, so only look at processes you have in place currently, not ones you are planning to add in the future, and remember to take thorough notes on your findings as you go through the gap analysis.
Following the schedule that you prepared, go into each area of the facility to evaluate the current quality management system. Focus on what is in place, and what is not in place. Remind auditors that you are not focusing on compliance or nonconformity to the current system, but on the design of the current system, and how it matches ISO 9001’s requirements.
Gap analyses can be conducted with small groups of staff. For example, a gap analysis can be conducted with the senior management group and a separate gap analysis with middle management and/or operational staff. It is not unusual to receive different responses to questions depending on the position and level of staff within the organization.
When sampling or interviewing employees, the auditor needs to decide on how many samples to take. The recommended approach is to start with two or three samples or interviews, and if uncertainty or errors, then take additional samples. Take notes on what is in place, and what will need to be developed and changed, also, take complete notes, including reference documents and examples.
For each requirement, or set of requirements, from the standard you will want to identify the status of the current system. You are then able to turn that into a findings list.
Set a completion date for having the action completed, fill that date in on your action plan. Set a date for a meeting or two to assign responsibilities for the findings list.
An important consideration in using the gap analysis checklist is that, for most staff, this will be an introduction to an audit-like process and the practical aspects of a QMS. It is therefore important that it is a positive experience from all perspectives.
Any gap analysis or audit should be focused on the processes and the overall system, not the individuals following the practices and procedures provided.
Allow enough time to do an in-depth audit. The more information you can provide for your findings list and for the action plan, the more efficient and effective your implementation project will be. When the gap analysis has been completed, meet with the auditors to summarize the results.
These results can be transferred to findings list for implementation. This meeting should be held shortly after the audit, so that information is fresh.
After the gap analysis has been completed, examine the results of the gap analysis. Take a look at what needs improvement, and what already fulfils the requirements.
This is where the note taking you did in the last step will come in handy! Continue to keep notes, detailing why a process is in need of change, not just that it needs updating to fit the requirements.
Ideally, you or the consultant will use these notes to create a list of steps to take for improving your quality management processes.
A gap analysis report should be prepared at the close of the gap analysis exercise.
The gap analysis report should include a summary of what was reviewed, the findings and plans for follow-up actions.
When you have completed the gap analysis, you will probably have many findings. Some findings might be problems and some might be opportunities for improvement.
Review your notes and collect the findings into the report. Summarize the gap analysis findings, you will usually identify several categories of tasks:
The findings and conclusions should be formally documented as part of the summary report. Too often, the audit report only recites back facts and data the managers already know.
The value is in identifying issues and opportunities they do not know! This summary should be reviewed first with the lead auditor, then the Process Owner and Management Team. Make final revisions and file the audit report and all supporting audit materials and notes.
Objective evidence of the documentation audited must be maintained; and can comprise physical or digital attachments, with file reference notations on the checklist.
When using the checklist, the revision level of the procedure, date of record or report, individual interviewed needs to be listed. When an auditor provides an Opportunity for Improvement (OFI), the auditor should review whether the process owner accepts the suggestion and the plan for dealing with the suggestion.
Often the first time that a ‘gap’ or ‘problem’ i45s put into words it is vague, subjective, or even abstract. Without a proper definition, it is unlikely that the root cause can be identified, and incorrect or insufficient corrective actions are put in place.
The implementation team will benefit from investing adequate time upfront defining the nonconformity to ensure subsequent process steps proceed accurately and efficiently.
The statement of nonconformity is the action or process that was observed to not be in compliance. The nonconformance should be written to identify the process that is not adequate.
The requirement is the action that is required that was observed not in compliance. Typically, the standard’s clause number, procedure number, or work instruction reference, information from interviews, etc. is quoted.
Nonconformities should include information on what the requirement is; what the gap is that leads to the nonconformance; and what the supporting evidence is available.
This is what was observed during the audit that caused the nonconformance to be written. Additionally, if your organization has committed to a requirement in their own documentation, e.g. their project quality plan, then evidence needs to exist that your organization conforms to the stated planned arrangements.
A good summary report is the output which is the value of any audit. It deserves an appropriate amount of attention and effort. As you moved through the gap review, you should have noted the issues and improvements you saw.
These should have been marked clearly so you are now able to quickly review and capture them as you write the gap analysis report.
These results can be transferred to the findings list for action. The more information you can add to your findings list, the more thorough and effective your overall action plan will be in latter stages.
Although positive comments are not specified on the gap analysis checklist itself, it is always good policy to include positive comments in the gap analysis report summary.
The final step you should focus on leads to the next step in the ISO 9001 implementation process which is creating a plan of action for improving your quality management systems.
When the gap analysis is complete, meet with the auditors to go through and review all under‐developed or absent elements. These results can be transferred to the findings list for an action plan.
This action plan will help you get on track to update your quality management system for certification. The action plan should be developed to allow prioritising of the different elements over a period of time.
The more information you can obtain from your findings lists, the more thorough and effective your overall action plan will be. It is also important to remember that your QMS should be customized to reflect your organization and its operating environment.
The implementation of a formal management system is best handled as a specific project that is led by someone with project management experience. Ideally, they should be a key member of the organization’s management team and have sufficient authority and trust of the personnel involved.
No matter how small your organization, failing to get your people involved will be a missed opportunity and a showstopper.
Be sure to space out the implementation activities over a reasonable timeframe. You should set clear, concise goals and deadlines for updating your quality management system, and come up with a detailed plan of action for reaching those goals.
Remember, the more specific and detailed your plan is, the easier it will be to implement.
From the previous step, you will usually identify several categories of tasks:
By implementing a management system like the one detailed in this document, your organization will have the necessary foundation to enact a culture change.
It is expected that the culture shift will start during the early development and implementation phase, and by getting involvement and consultation from the employees at this early stage, you can more easily secure buy in by assigning responsibility and utilising their skills, knowledge and experience to help develop the management system.
Think about each action. Does it require the development of a philosophy (e.g., objectives), a process (e.g., a reporting system) or a new practice. Read through the actions identified, and prioritize them.
It is useful to do a quick sensibility check, to ask yourself, "Do I really need everything I’ve identified to achieve a successful system?" This is a good time to see if your actions sufficiently address the gaps identified and are suitable for your organization.
You do not need to have each action up and running straight away. Develop an implementation plan that will allow you to phase different elements over a period of time. Go with what works. Do not try to force a process or activity that clearly has no place in your business. For example, if you are attempting to develop a risk assessment methodology, think about how complex you want to make this process; make it practical and keep a focus on what you’re trying to achieve.
It is likely that during the first few months, Top management will need to positively reinforce its requirements on a routine basis to ensure that staff maintain motivation and do not lapse back into old habits.
Iterative adjustment of new or existing quality management system documentation should also be expected as staff become accustomed to the requirements and begin to suggest improvements in usability.
Instant business or operational improvements may initially be observed.
The benefits of a properly functioning QMS are not just restricted to the knowledge that it complies with regulatory requirements but that it has the discipline to manage customer requirements effectively, and to mitigate risk.
Top management should consider creating an Implementation Team to assist in developing the new management system. This decision should be based on the size of the organization or facility that will be implementing the QMS.
This team should consist of key individuals from various divisions, departments, and operating work areas from within your organization who are familiar with the facility and the various processes within. Diversity among team members will bring together a pool of expertise and ideas from which to develop and implement the QMS.
The implementation team should meet on an ‘as needed’ basis according to the project timeline. When the implementation team meets, they must address the items on their findings list.
Spread out the implementation team meetings along the implantation timeline so you do not have too many meetings at one time. For example, you may want to have the document control team meet early in the project to establish a system to collect and control the documents that will be generated.
Whereas, the internal audit team would meet later in the process because audits will not begin until the system is complete.
After the Implementation Team members have been selected, an initial orientation meeting should be held. At the meeting, everyone involved should be informed of the organization’s planned implementation as well as team members’ new responsibilities.
The initial orientation meetings will get the programme off to a good start, but many more meetings will be necessary. While the primary activities taking place during the early meetings will involve system development and implementation, the Team Leader may also wish to use this time to provide team members with some training.
The Implementation Team should meet on a regular basis to resolve problems and to report progress. Meeting minutes should be documented as they may prove helpful when working with Certification Auditors. In some cases, auditors’ questions may be answered by the documented meeting notes.
An important part of implementation is seeing whether your actions have worked. This step focuses on what you can do to determine this. Consider doing a review six months after your initial development has started; you can increase the interval as your QMS matures.
To understand what is working, and what is not, consider getting both an internal and external perspective. Use your initial gap analysis to identify what may need updating. Have things changed? Talk to your staff and see what they think.
Ensure that your organization has selected the appropriate tools and techniques to investigate the causes and thereby establishing and implementing a process for continual improvement.
The impetus for continual improvement must come from the use of (as a minimum):
Requirements for continual improvement interrelate with the following clauses:
Processes can always be made more efficient and effective, even when they are producing conforming products. The aim of a continual improvement programme is to increase the odds of satisfying customers by identifying areas that need improvement.
It requires your organization to plan improvement systems and to take into account many other activities that can be used in the improvement process.
You will be required to ensure that you continually improve the degree to which your products and services meet customer requirements and to measure effectiveness of your processes.
To this end the continual improvement principle implies that you should adopt the attitude that improvement is always possible and your organizations should develop the skills and tools necessary to drive improvement.
The PDCA cycle is a perfect way of introducing continual improvement to your organization’s activities. Each step to improvement can be defined by four sub steps, Plan, Do, Check and Act:
Also act to involve other people, departments or suppliers affected by the changes and whose co-operation is needed to implement them on a larger scale. Make sure that changes are documented properly according to the documentation requirements.
What happens if a gap analysis does not go as planned? Or if a gap analysis is misused?
Though the gap analysis itself is a relatively straightforward process, failures can still happen.
One confusion about gap analyses is that they are the only analyses a business needs to do in preparation for the ISO 9001 certification process. This is simply not the case. Gap analyses should not substitute for other assessments.
Risk management, internal audits, customer satisfaction evaluations, and other assessments should be made in addition to a gap analysis.
Each of these assessments has a different focus and fills a different purpose than a gap analysis. Because of these different focuses and purposes, one type of analysis should never replace another.
Attempting to do so could lead to complications. A few examples of what may go wrong if one analysis is substituted for another are risks may be ignored or underestimated; maintaining existing processes could be forgotten; and focus on customers could be minimized.
Another mistake often seen in gap analyses is jumping straight into a solution to a perceived problem before creating a plan of action based on the gap analysis.
This defeats the entire purpose of conducting a gap analysis by ignoring the areas the gap analysis says needs focus, and instead diving headfirst into whatever seems to be the issue, regardless of what the issue may actually be.
Similar to the previous mistake listed, another mistake made is developing improper training methods for improving quality management systems.
An administrator may sometimes begin developing training methods for employees to help improve quality management systems without first checking to make sure they fit the results of the gap analysis. This once again defeats the purpose of a gap analysis.
Creating improper documentation, whether over documenting or under documenting a process, is another area some companies have difficulty with.
In the sometimes baffling world of ISO 9001, it can be hard to tell what needs to be documented and what does not. In the past, ISO standards required that everything had documentation. This is no longer the case.
Companies that have been sticking with ISO standards for a long time now sometimes run into the problem of having a complex mass of obsolete documentation due to never revamping their documentation when an ISO 9001 update released.
Conversely, some companies have no documentation for how their quality management systems are supposed to run. The key is to have a balance between over and under documentation.
Outline clearly and concisely each process in your quality management systems, and update to suit the new ISO 9001 standards when needed.
In conclusion, with a little time and effort, you can create a gap analysis for your business.
This is one of the most important, first steps in the process of obtaining certification.
Completing it correctly helps save you time, money, resources and energy by highlighting the areas that do not meet ISO 9001 requirements in your quality management system.
Please click here for Gap Analysis Checklists and Templates proven to work.
Internal Auditing & Gap Analysis
- Internal Audit Explained
- The Complete Guide to Preparing for your ISO 9001 Audit
- How Can an Internal Audit Checklist Template Help Me?
- How to do a Gap Analysis for ISO 9001 (in 6 steps)
- How Can an Internal Audit Procedure Help Things Run Smoothly?
- Internal Audit Checklist - Everything You Need To Know
Updated: 15th October 2020
Author: Richard Keen
Richard is our Compliance Director, responsible for content & product development.
But most importantly he is ISO's biggest fanboy and a true evangelist of the standards.
Learn more about Richard