# Policy Exception Management One-sentence definition: Formal process to approve time-bound deviations from policy with compensating controls and documented risk acceptance. ## Key Facts - Requires business justification, risk analysis, owner approval. - Includes compensating controls and expiration/review dates. - Track in register; report exceptions to governance. - Reassess after changes/incidents; aim to remediate root cause. - Prevents shadow IT and undocumented risk-taking. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose compliant path when teams can’t meet a standard. **Mnemonic:** “**AIM**” → Approve, Implement compensations, Monitor. ## Mini Scenario Q: Legacy app needs weak cipher—what’s compliant approach? A: File exception with compensating controls and end date. ## Revision Checklist - Name 4 required fields in an exception. - Define compensating control. - State reporting cadence. ## Related [[Security Policy Hierarchy]] · [[Risk Response Strategies]] · [[Security Control Baselines and Tailoring]] · [[Risk Register and Reporting]] · [[Compliance and Regulatory Concepts]] · [[Domain 1 - Index]]