psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
draft
ISMS/03-procedures/exception-management-procedure.md
Paul Jenkins 5eade2d99b Initial commit
2026-03-26 09:35:22 +00:00

2.9 KiB
Raw Permalink Blame History

Title: Exception Management Procedure Document ID: [PROC-EXCEPTION-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CISO (Paul Jenkins) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]

Exception Management Procedure

Purpose

This procedure defines how BlackDice should request, assess, approve, record, review, and close exceptions to required security controls.

Scope

This procedure applies to proposed deviations from approved policies, standards, procedures, or mandatory security requirements within the ISMS scope.

Trigger / When Used

Use this procedure when:

  • a control requirement cannot be met
  • a temporary deviation is needed for operational or technical reasons
  • a compensating control is proposed in place of the standard requirement

Procedure Steps

  1. Submit an exception request describing the requirement affected, rationale, affected assets or services, duration, and proposed compensating controls.
  2. Confirm the request is complete and identify the relevant owner, approver, and impacted stakeholders.
  3. Assess the security, operational, customer, compliance, and resilience risk associated with the exception.
  4. Determine whether the exception can be accepted, requires additional controls, or should be rejected.
  5. Record the decision, approval, conditions, expiry date, and review date.
  6. Implement any required compensating controls or follow-up actions.
  7. Review open exceptions at defined intervals or when conditions change.
  8. Close the exception when the underlying issue is remediated or the exception expires without renewal.

Inputs

  • exception request
  • affected control requirement
  • risk assessment information
  • proposed compensating controls

Outputs / Records

  • exception decision record
  • approved conditions and expiry date
  • linked risk or remediation actions
  • closure record

Roles and Responsibilities

  • Requesters must provide accurate justification and proposed mitigation.
  • [Role] must coordinate exception review and record management.
  • Approvers must evaluate risk and determine whether the exception is acceptable.
  • Control owners must implement agreed compensating controls.

Escalation / Exceptions

Escalate where:

  • the exception affects production, customer, or regulated data handling
  • no compensating control is available
  • the exception becomes long-term or repeatedly renewed
  • disagreement exists over residual risk

This procedure governs exceptions; no additional procedural exception is needed beyond documented emergency handling.

Related Documents

  • Information Security Policy
  • Risk Assessment and Treatment Methodology
  • Risk Assessment Procedure
  • Security Exceptions Register Template

Version Control

Version Date Description of Change Author
0.1 Draft [DD Month YYYY] Initial draft. [Name or Role]
Reference in New Issue View Git Blame Copy Permalink