Title: Security Exceptions Register Template
Document ID: [REG-EXCEPTION-001]
Version: 0.1 Draft
Status: Draft
Owner: CISO (Paul Jenkins)
Approver: CISO (Paul Jenkins)
Classification: Internal
Effective date: [DD Month YYYY]
Review date: [DD Month YYYY]

# Security Exceptions Register Template

## Purpose

This template provides the structure for recording and tracking approved security exceptions and their review status.

## Scope

This register applies to approved deviations from ISMS policies, standards, procedures, and mandatory security controls.

## Data Fields / Expected Columns

The register should record at least:

- exception ID
- date raised
- requesting owner
- affected requirement
- affected asset, service, or process
- business justification
- risk summary
- compensating controls
- approver
- approval date
- expiry date
- status
- review date
- linked risk or action

## Ownership

This register should be owned by [Role]. Exception owners are responsible for maintaining current status and closing exceptions when no longer needed.

## Update Frequency

The register should be updated when exceptions are requested, approved, rejected, renewed, reviewed, or closed.

## Retention

Current and historical exception records should be retained for auditability and risk traceability in line with retention requirements.

## Template Table

| Exception ID | Date Raised | Requesting Owner | Affected Requirement | Affected Asset / Service | Business Justification | Risk Summary | Compensating Controls | Approver | Approval Date | Expiry Date | Status | Review Date | Linked Risk / Action |
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
| [E-001] | [DD Month YYYY] | [Role] | [Policy / standard / control] | [Asset / service] | [Reason] | [Summary] | [Controls] | [Role] | [DD Month YYYY] | [DD Month YYYY] | [Requested / Approved / Rejected / Closed] | [DD Month YYYY] | [Risk / corrective action] |

## Related Documents

- Exception Management Procedure
- Risk Assessment Procedure
- Information Security Policy
- Risk Register Template