ELI5: What is an Exception Process?
Sometimes a student needs a special pass to leave class early for a doctor’s appointment. An exception process is the official way to ask for permission to skip a security rule, with a good reason and a plan to get back on track.
Definition
An exception process is a formal, documented mechanism that allows individuals or business units to request approval for a temporary or permanent deviation from an established security policy when full compliance is technically infeasible or would cause unacceptable business disruption. Exceptions must be formally requested, risk-assessed, approved by an authorized authority (typically the CISO or security committee), documented, and time-limited with a remediation plan.
Key Details
- Every exception should include: business justification, compensating controls, risk assessment, approval authority, and expiration date
- Compensating controls must reduce risk to an acceptable level when the primary control cannot be implemented
- Exceptions without expiration dates become permanent deviations that create technical debt and compliance risk
- The exception register tracks all approved exceptions and feeds into the risk register
- Exam tip: exceptions must be approved, documented, and time-limited — an informal “we’ll deal with it later” is not an exception process
Connections
- Parent: security-policies — exception management is a required component of any mature policy framework
- See also: policy-lifecycle
- See also: residual-risk