The IT gap analysis document should also detail the current information security procedures in place. Threats should be identified along with the controls in place to tackle them.