March 19, 2025

Trustero AI How To: Performing a Gap Analysis Against a New Framework.

Traditionally, this process requires significant time and expertise, but with Trustero GRC AI Assistant, organizations can dramatically streamline their gap analysis efforts.
George Totev, CISO at Trustero

Trustero AI How To: Performing a Gap Analysis Against a New Framework

In the ever-evolving world of security and compliance, organizations frequently encounter the need to adopt new frameworks. Whether it’s PCI DSS for processing credit cards or NIST 800-53 for government-related contracts, the process of assessing compliance gaps can be daunting. At the same time we probably have revenue dependent on the adoption and pretty packed backlogs for engineering, IT, and other stakeholders. Traditionally, this process requires significant time and expertise, but with Trustero GRC AI Assistant, organizations can dramatically streamline their gap analysis efforts.

Why Gap Analysis Matters

When a company expands into new areas or adopts new compliance frameworks, it must assess how its existing controls align with the new requirements. The challenge, however, is that most organizations already have a customized control framework. For instance, a company which started with “out of the box” SOC 2 has likely adapted and expanded its controls to its specific environment, making a straightforward one-to-one mapping with a new framework unrealistic. Such adaptation and expansion is actually quite common because it increases the value of compliance into areas beyond security.

The traditional approach involves using experts to manually map controls, assess risks, and develop an implementation plan. This method is labor-intensive and can take months, especially for comprehensive frameworks like NIST 800-53, which contains over 300 controls.

Automating Gap Analysis with Trustero AI Assistant: GRC Questions. 

Trustero AI Assistant can speed up this process significantly – eliminating up to 80% of the work in a traditional gap analysis. Instead of going control by control, comparing our current and target state we use the GRC AI Assistant which is already aware of our current posture. We prepare the new requirements in the form of a questionnaire - not unlike the questionnaires we receive from our customers. Every control is, essentially, a question.

With these questions input into Trustero’s AI-powered questionnaire module, the system instantly evaluates the organization’s readiness and identifies gaps. This enables security and compliance teams to:

  • Understand what controls are already in place
  • Identify where adjustments are needed
  • Highlight major gaps requiring new policies, controls, procedures,  engineering efforts, etc.

The Efficiency Gains of AI-Driven Gap Analysis

Using AI, companies can reduce the time needed for gap analysis from months to weeks, or even days. By automating 60-80% of the work, teams can focus on higher-value tasks, such as addressing identified gaps and securing stakeholder buy-in.

Quick and accurate assessment will inform the stakeholders not only when we could adopt the framework but also how much work will be required so then can start planning immediately.

A Real-World Example: Common Control Framework that includes SOC 2 / ISO 27001 and adding NIST 800-53

We ran a truncated version of this today. You can see the video on our website. In the example we used, we are assuming a company has a foundational common control framework that was built off of SOC 2 and ISO 27001. They are working to add NIST 800-53. To simplify the example we used only three controls (NIST 800-53 has more than 300); however, this applies for the entire framework: 

  • CP-9 Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing
  • AC-17.2 Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions
  • SI-7.3 Employ centrally managed integrity verification tools

Again, for simplicity we used the statements as they were in the standard. However, one could become more sophisticated and convert them to questions to increase the accuracy:

  • Does the organization use a sample of backup information in the restoration of selected system functions as part of contingency plan testing, as required by NIST 800-53 CP-9?
  • Does the organization implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions, as required by NIST 800-53 AC-17.2?
  • Does the organization employ centrally managed integrity verification tools, as required by NIST 800-53 SI-7.3?

In April ‘25, we will release a new feature that is even better suited for this kind of gap analysis. But, in this case, the GRC Questions tool works great. 

Here’s the step by step breakdown of what we did and you can do it: 

Step 1 Find the requirements for the new framework: You can choose individual requirements from a framework or just get all of them. For our example, we were using NIST 800-53, which has over 300 requirements, so we just chose a few. In general, I would recommend use batches of questions (for example, by control domain) if the delta between the current and target state is too big. In our case (base line of SOC2 and ISO27001) I would probably upload the entire PSI DSS but split NIST 800-53. While the system can handle large uploads, interpreting the results could be overwhelming.

Step 2 (optional) Convert those requirements into a question format: The GRC Questions AI will work a bit better if you are asking questions rather than making statements. For example, Convert the requirement above to: Does the company implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions, as required by NIST 800-53 control AC-17.2? A quick way to do this is to use the CONCATENATE function in Excel or Sheets to add the “Does the company”, appended by “as required by NIST 800-53 controls” and the control ID to each requirement in each row. 

Step 3 Load the requirement questions into Trustero GRC Questions tool: Trustero AI Assistant will answer each question telling you if you are currently compliant with the requirement or if changes are needed. In the example below, the red exclamation mark on SI-7.3 means that the AI Assistant did not find any relevant controls or policies. The grey question mark means that there may be something which could be somewhat related. Upon further examination we find out that it does not cover the requirements of the control.

In general, the AI Assistant has a conservative bias (by design); therefore, unless the existing control matches the requirement it will be flagged.  

Available to Everyone: Free and Paid Versions of Trustero

This AI-driven gap analysis is not limited to paid users. Trustero’s free version allows organizations to:

  • Upload their policies and controls
  • Run up to 1,000 AI-powered GRC questions
  • Conduct preliminary gap analysis before committing to full implementation

Trustero paid users can start doing this right away with no prep. Users with free accounts can do it too but there is an extra step that has to take place - uploading the relevant content first.

Extra Step for Trustero Free Users - Upload controls and policies to Trustero: Trustero free users don’t have their policies and controls in Trustero. So, we will need to load them as Knowledge Base data. Head to the GRC Questions (Trustero > Analyze > GRC Questions) and click Knowledge Base. Then add your current controls and policies in CSV format as Questions and Answers. 

For organizations seeking deeper automation and integration, Trustero’s full version includes features like automated evidence collection, detailed compliance roadmaps, and real-time progress tracking. Naturally, this content is better classified and answers will be faster/more accurate. Additionally, you will be able to utilize additional features like the Roadmap and Compliance Dashboard. They are a great aid in analyzing and implementing new frameworks or individual policies/controls.

Final Thoughts

Adopting a new compliance framework no longer has to be a slow, manual, and costly process. With Trustero AI, companies can quickly understand their compliance gaps, get actionable recommendations, and implement necessary changes efficiently. Whether you’re working with SOC 2, PCI DSS, NIST 800-53, or another framework, AI-driven compliance management is the future.

Interested in trying it out? Get started with Trustero’s free version today and experience the power of AI-driven compliance automation firsthand or set up a demo with us at Trustero.com/demo

Security and Compliance

Related resources

Why Citing Sources Is Critical as AI Expands in the GRC Tech Stack

As AI becomes more integrated into enterprise software—particularly in high-stakes domains like governance, risk, and compliance (GRC)—the conversation is shifting. It’s no longer just about what the AI says. It’s about why it says it.

Michael Eggerling, VP of Marketing at Trustero

Trustero Video: Everything Compliance with Liam Collins from Armanino

Trustero is excited to announce “Everything Compliance,” a new video series of interviews about compliance, cybersecurity, and related areas. The inaugural episode features Liam Collins, Co-lead of Trust Practice at Armanino LLP. Armanino is one of the top 25 largest accounting, consulting, and technology firms in the U.S.

Team Trustero

AI, Quantum Computing, and Leadership with Bob Zinga

Trustero's Information Security Leaders series

George Totev, CISO at Trustero

AI and Quantum: The Future of InfoSec with Bil Harmer

Trustero's Information Security Leaders series

George Totev, CISO at Trustero