GOV-013 Policy Exception Management
Description
A defined process exists for requesting, approving, and tracking exceptions to information security policies. Exceptions are time-bounded, document the risk accepted, require named approver authorization, and are reviewed periodically. Expired exceptions must be renewed or remediated.
Rationale
Without a controlled exception process, policy deviations occur informally and invisibly, creating unacknowledged risk. A formal process makes exceptions visible, time-limited, and attributable.
Framework Mappings (3)
| GRC-04 | Policy Exception Process | full |
| 5.1 | Policies for information security | partial |
| PM-9 | Risk Management Strategy | partial |
Evidence (2)
Policy exception management procedure defining the request, approval, time-bounding, and periodic review process for policy deviations.
Example: Policy Exception Management Procedure (Confluence / ISMS document), describing: how to submit an exception request, required approval authority by risk level, maximum exception duration, and the review/renewal process.
Test: Request the policy exception management procedure. Verify: (1) a defined submission process is described, (2) approval authority tiers are documented, (3) maximum exception duration is stated (typically 12 months), (4) a periodic review requirement is included, (5) the procedure has an approval date within the last 12 months.
Exception register showing all active and expired policy exceptions with approver, duration, risk acceptance rationale, and review dates.
Example: Policy Exception Register (GRC platform / spreadsheet), with columns for: exception ID, policy deviated from, business justification, risk accepted, named approver, approval date, expiry date, and current status (active/expired/renewed/remediated).
Test: Request the policy exception register. Verify: (1) all active exceptions have a named approver and non-expired approval date, (2) risk acceptance rationale is documented for each, (3) no exceptions are past their expiry date without a renewal or remediation record, (4) the register was reviewed within the defined interval.
Questions (2)
Does your organization have a formal process for requesting, approving, and tracking exceptions to information security policies?
The process should require a business justification, named approver, risk acceptance rationale, and a defined maximum exception duration.
How are active policy exceptions tracked and managed?
An exception register should show that no exceptions are past their expiry date without renewal or remediation, and that each carries a named approver.