GRC-04: Policy Exception Process

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following item from the previous version: GRM-01: Baseline Requirements.

Control Statement

Establish and follow an approved exception process as mandated by the governance program whenever a deviation from an established policy occurs.

Implementation Guidance

The exception process should be defined and approved by the management team and communicated across the organization to promote adherence. Integrate exemptions with the information security risk management process, and review organizational risks whenever a deviation from an established policy occurs.

Auditing Guidance

  1. xamine the policy and/or procedures to determine if the policy exception process has been established.
  2. dentify and confirm that exceptions to policies are tracked, authorised, and evidenced.
  3. onfirm a review of policy exceptions takes place on a periodic basis by appropriate management.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.