# Policy Exception and Exception Management Backlink: [[Domain 1 - Index]] **Definition:** Controlled, time-bound approvals to deviate from standards or policies with documented risk acceptance and compensating controls. ## Key Facts - Requires business justification, risk assessment, owner, and end date. - Approvals follow governance (risk committee/CISO/owner). - Compensating controls must meet intent; track remediation plan. - Monitor and review; escalate if expired or high risk. - Exceptions inform roadmap and standard updates. - **Verify:** check official (ISC)² CBK and current exam outline. >[!tip] **Exam Relevance** - Decide when to allow exceptions vs. deny - Identify necessary documentation and approvals >[!note] **Mnemonic** - “Exception? Expire and Evidence.” ### Example Q: Legacy cipher needed temporarily. What must you do? A: Approve exception with compensating controls and expiry. ## Revision Checklist - [ ] List required exception elements - [ ] Define approval authorities - [ ] Describe monitoring/expiry handling - [ ] Tie to appetite/tolerance ## Related [[Security Policy Types]] · [[Standards, Guidelines, and Procedures]] · [[Risk Appetite and Tolerance]] · [[Risk Response Strategies]] · [[Security Governance]] #cisSP #domain-1 #concept