# Vulnerability Exceptions and Risk Acceptance Process One-sentence definition: Formal, time-bound approvals to deviate from patch/config SLAs with compensating controls. ## Key Facts - Document business reason, risk rating, compensating controls, owner, end date. - Require senior approval; auto-expire; track in register; re-review. - Add monitoring (WAF, segmentation, EDR rules) until fix available. - Evidence of periodic review for audit; tie to backlog. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Pick exceptions only with controls and end dates—not indefinite waivers. **Mnemonic:** “**Accept** with **expiry**.” ## Mini Scenario Q: Legacy app cannot patch—how to proceed? A: Exception + isolation + WAF rule; schedule replacement. ## Revision Checklist - 4 fields of exception record. - Two compensating controls. - Review cadence. ## Related [[Patch and Vulnerability Remediation Operations]] · [[Configuration Management and Drift Control]] · [[Risk-Based Prioritization (CVSS EPSS Business Impact)]] · [[Reporting and Executive Summaries]] · [[Domain 7 - Index]]