Calculator Inputs
Enter your control counts, coverage percentages, and weighting assumptions. Results appear above this form after submission.
Formula Used
| Metric | Formula | Meaning |
|---|---|---|
| Applicable Controls | Total Controls − Not Applicable | Removes controls outside scope. |
| Weighted Achieved Controls | Fully Compliant + (Partially Compliant × Partial Credit Weight) | Gives partial completion a controlled value. |
| Control Score | (Weighted Achieved Controls ÷ Applicable Controls) × 100 | Shows current weighted control completion. |
| Composite Readiness | (Control Score × Controls Weight + Policy Coverage × Policy Weight + Technical Coverage × Technical Weight + Evidence Quality × Evidence Weight) ÷ 100 | Combines operational and documentation readiness into one percentage. |
| Critical Coverage | (Critical Compliant ÷ Critical Controls) × 100 | Measures performance on high-impact controls. |
| Risk Load | ((High × 3) + (Medium × 2) + (Low × 1)) ÷ (Applicable Controls × 3) × 100 | Normalizes open finding pressure on a 0–100 scale. |
| Priority Index | (Overall Gap × 0.35) + (Critical Gap × 0.30) + (Risk Load × 0.20) + (Exposure Rate × 0.15) | Highlights remediation urgency using readiness, criticality, and backlog pressure. |
How to Use This Calculator
- Choose the framework and enter the business unit or audit scope.
- Enter total controls and split them into fully compliant, partially compliant, non-compliant, and not applicable groups.
- Add critical control counts to show priority coverage for high-impact safeguards.
- Enter policy coverage, technical coverage, and evidence quality percentages.
- Set your target compliance level and adjust the weighting percentages if needed.
- Add open high, medium, and low findings to reflect remediation backlog pressure.
- Click Analyze Compliance Gap to see the result above the form, the comparison graph, and remediation guidance.
- Use the CSV and PDF buttons to export your assessment summary.
Example Data Table
This sample shows how a cybersecurity team might summarize domain-level readiness before completing the calculator.
| Control Domain | Required Controls | Fully Compliant | Partially Compliant | Non-Compliant | Coverage % |
|---|---|---|---|---|---|
| Access Control | 18 | 12 | 4 | 2 | 77.78% |
| Asset Management | 12 | 9 | 2 | 1 | 83.33% |
| Vulnerability Management | 16 | 8 | 5 | 3 | 65.63% |
| Logging and Monitoring | 14 | 10 | 3 | 1 | 82.14% |
| Incident Response | 10 | 6 | 2 | 2 | 70.00% |
Frequently Asked Questions
1) What does partial credit weight mean?
It assigns a fractional value to partially compliant controls. A value of 0.50 means each partial control counts as half complete in the weighted control score.
2) Why separate critical controls from all controls?
Some controls protect the highest-risk assets or audit requirements. Tracking them separately helps you focus on the issues with the greatest security and compliance impact.
3) Can this calculator work for ISO, NIST, PCI, or SOC reviews?
Yes. The model is framework-agnostic. You can use it for any structured control set where control status, evidence quality, and remediation backlog matter.
4) What should I enter for evidence quality?
Use a percentage that reflects proof strength, traceability, recency, and completeness. Higher values mean auditors can verify the control with less uncertainty.
5) Why must the category totals equal total controls?
Every control should fall into one status bucket. Matching totals prevents double counting and keeps the gap score mathematically consistent.
6) What is the difference between target gap and overall gap?
Overall gap shows distance from perfect readiness. Target gap shows distance from your chosen goal, which can be lower than 100%.
7) How often should I run a gap analysis?
Run it after major control changes, before external audits, after incidents, and on a regular review cycle such as monthly or quarterly.
8) Does a high priority index always mean audit failure?
No. It signals urgency, not certain failure. A high score simply means your current gaps, critical weaknesses, or finding backlog deserve faster remediation.