2.1 KiB
Title: Security Exceptions Register Template Document ID: [REG-EXCEPTION-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CISO (Paul Jenkins) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]
Security Exceptions Register Template
Purpose
This template provides the structure for recording and tracking approved security exceptions and their review status.
Scope
This register applies to approved deviations from ISMS policies, standards, procedures, and mandatory security controls.
Data Fields / Expected Columns
The register should record at least:
- exception ID
- date raised
- requesting owner
- affected requirement
- affected asset, service, or process
- business justification
- risk summary
- compensating controls
- approver
- approval date
- expiry date
- status
- review date
- linked risk or action
Ownership
This register should be owned by [Role]. Exception owners are responsible for maintaining current status and closing exceptions when no longer needed.
Update Frequency
The register should be updated when exceptions are requested, approved, rejected, renewed, reviewed, or closed.
Retention
Current and historical exception records should be retained for auditability and risk traceability in line with retention requirements.
Template Table
| Exception ID | Date Raised | Requesting Owner | Affected Requirement | Affected Asset / Service | Business Justification | Risk Summary | Compensating Controls | Approver | Approval Date | Expiry Date | Status | Review Date | Linked Risk / Action |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| [E-001] | [DD Month YYYY] | [Role] | [Policy / standard / control] | [Asset / service] | [Reason] | [Summary] | [Controls] | [Role] | [DD Month YYYY] | [DD Month YYYY] | [Requested / Approved / Rejected / Closed] | [DD Month YYYY] | [Risk / corrective action] |
Related Documents
- Exception Management Procedure
- Risk Assessment Procedure
- Information Security Policy
- Risk Register Template