GRC Delivered, Not Gap-Analyzed: SOC 2, ISO 27001, and GDPR
Executive Summary
The standard GRC engagement ends with a binder. A firm comes in, measures you against SOC 2 or ISO 27001, and hands back a gap analysis: a color-coded spreadsheet of everything you are missing. Then they leave, and the missing controls are still missing. A gap analysis describes the work. It does not do the work.
There is a different model, the one we run: deliver the controls so they are actually running, and collect the evidence as the work happens, so the audit becomes a review of what is already true instead of a month of reconstruction. This is what “built in, not bolted on” means when the subject is compliance. What follows is the difference between the two, framework by framework, and why the delivery model holds up when the auditor arrives.
The binder that doesn’t ship a single control
It plays out the same way almost every time. A company needs SOC 2 because a big customer asked for the report as a condition of the contract. They hire a readiness firm. Six weeks later a polished gap analysis arrives: 140 findings, neatly categorized, red and yellow and green. Everyone feels a brief sense of progress, because the document is thick and the problem finally has an inventory.
Then the firm’s engagement ends. The 140 findings are now the company’s to implement, and the company hired the firm precisely because it did not have the time or the in-house security depth to do that. So the findings sit. The access reviews that were supposed to run quarterly do not get scheduled. The logging that was supposed to be centralized stays scattered. Nine months later, the week before the audit, the team is reconstructing a year of evidence from screenshots and Slack messages, trying to make it look like the controls were running all along.
The gap analysis was not wrong. It was just not the work. It told the company where it stood and left the actual standing-up of controls, the hard and unglamorous part, entirely undone.
What each framework actually asks for
The three frameworks companies ask about most are not documents to be written. They are sets of controls that have to run continuously, and each one fails in the same place: not in the policy, but in the operation.
SOC 2 is not a certificate. It is an auditor’s opinion, over a window of time, that the controls you claimed were operating actually operated. A Type II report covers a period, often six or twelve months. That means the evidence has to exist across that whole window. You cannot create it the week before. Access reviews, change management, monitoring, and incident handling either ran and left a trail, or they did not.
ISO 27001 is a management system, not a checklist. It asks whether you run an information security program with a real risk assessment behind it, controls chosen to match that risk, and a review cycle that keeps improving them. The certificate lapses if the system stops running. It rewards the operating discipline, not the binder of policies.
GDPR lives in the data layer. It asks where personal data flows, what lawful basis you have for holding it, how consent was captured, and how fast you can find and delete a person’s records on request. These are not questions a policy document answers. They are questions your systems answer, or fail to, when a data subject request lands.
The through-line is the one governance argument we make about everything: the competitive protection is not the certificate on the wall. It is the layer underneath it, running whether or not anyone is watching.
What good looks like
Good looks like compliance delivered as a running program, not assessed as a one-time snapshot. The controls are stood up and operating. The evidence for each one is collected continuously, as the work happens, so the audit is a review of a trail that already exists.
It also looks like one program covering the overlap, not three separate scrambles. SOC 2, ISO 27001, and GDPR share a large common core: access control, logging and monitoring, change management, risk assessment, vendor management, and incident response. Stand those up once, well, and most of each framework is already satisfied. The frameworks diverge at the edges, and the edges are where the specialized work goes, but the shared foundation is built one time and serves all of them.
And it looks like the audit stopping being an event. When evidence rolls forward continuously, the week before the audit is not a fire drill. It is a review of what is already true. That is the difference a delivery model makes, and it is the whole reason to run compliance as a program rather than buy a readiness report.
Where this tends to break down
The trap worth naming is treating compliance as a document problem when it is an operations problem. A gap analysis, a policy library, and a certificate are all artifacts. They describe or attest to controls; they are not the controls. It is easy to spend the budget on the artifacts and mistake having them for being secure, and the mistake surfaces at the worst possible time, when an auditor asks for a year of evidence that was never collected, or when a breach reveals that the documented control was never actually running.
The other failure mode is the one the gap-analysis model builds in by design: the deliverable is a list of work for someone else to do. If the company had the capacity to implement 140 findings, it would not have needed the readiness firm in the first place. Handing an under-resourced team a longer to-do list is not the same as closing the gap. The gap closes when someone stands up the controls and keeps them running.
If you take one thing from this
A gap analysis tells you where you are. It does not move you. Compliance is not delivered by the document that measures you against a framework; it is delivered by the controls that run and the evidence they produce while they run. Buy the assessment if you want a map. If you want to pass the audit and, more to the point, actually be secure, the work is standing up the controls and keeping them running, with the evidence collected as it happens.
Next Step
Katalor Security runs governance and compliance as a delivered program through our MSP partnership with CyberGlobal: controls stood up and operated, with evidence for SOC 2, ISO 27001, and GDPR collected continuously rather than reconstructed before an audit. If your compliance today is a gap-analysis binder with most of the findings still open, that is the gap to close. Schedule a scope call at sec.katalorgroup.com.