Initial commit
This commit is contained in:
Paul Jenkins
63
04-registers/security-exceptions-register-template.md
Normal file
63
04-registers/security-exceptions-register-template.md
Normal file
@@ -0,0 +1,63 @@
|
||||
Title: Security Exceptions Register Template
|
||||
Document ID: [REG-EXCEPTION-001]
|
||||
Version: 0.1 Draft
|
||||
Status: Draft
|
||||
Owner: CISO (Paul Jenkins)
|
||||
Approver: CISO (Paul Jenkins)
|
||||
Classification: Internal
|
||||
Effective date: [DD Month YYYY]
|
||||
Review date: [DD Month YYYY]
|
||||
|
||||
# Security Exceptions Register Template
|
||||
|
||||
## Purpose
|
||||
|
||||
This template provides the structure for recording and tracking approved security exceptions and their review status.
|
||||
|
||||
## Scope
|
||||
|
||||
This register applies to approved deviations from ISMS policies, standards, procedures, and mandatory security controls.
|
||||
|
||||
## Data Fields / Expected Columns
|
||||
|
||||
The register should record at least:
|
||||
|
||||
- exception ID
|
||||
- date raised
|
||||
- requesting owner
|
||||
- affected requirement
|
||||
- affected asset, service, or process
|
||||
- business justification
|
||||
- risk summary
|
||||
- compensating controls
|
||||
- approver
|
||||
- approval date
|
||||
- expiry date
|
||||
- status
|
||||
- review date
|
||||
- linked risk or action
|
||||
|
||||
## Ownership
|
||||
|
||||
This register should be owned by [Role]. Exception owners are responsible for maintaining current status and closing exceptions when no longer needed.
|
||||
|
||||
## Update Frequency
|
||||
|
||||
The register should be updated when exceptions are requested, approved, rejected, renewed, reviewed, or closed.
|
||||
|
||||
## Retention
|
||||
|
||||
Current and historical exception records should be retained for auditability and risk traceability in line with retention requirements.
|
||||
|
||||
## Template Table
|
||||
|
||||
| Exception ID | Date Raised | Requesting Owner | Affected Requirement | Affected Asset / Service | Business Justification | Risk Summary | Compensating Controls | Approver | Approval Date | Expiry Date | Status | Review Date | Linked Risk / Action |
|
||||
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
|
||||
| [E-001] | [DD Month YYYY] | [Role] | [Policy / standard / control] | [Asset / service] | [Reason] | [Summary] | [Controls] | [Role] | [DD Month YYYY] | [DD Month YYYY] | [Requested / Approved / Rejected / Closed] | [DD Month YYYY] | [Risk / corrective action] |
|
||||
|
||||
## Related Documents
|
||||
|
||||
- Exception Management Procedure
|
||||
- Risk Assessment Procedure
|
||||
- Information Security Policy
|
||||
- Risk Register Template
|
||||
Reference in New Issue
Block a user