Set Exceptions on Controls
Add, approve, reject, and remove exceptions on compliance controls.
Exceptions exclude a control from your compliance score while documenting the reason for your team and auditors. Unlike setting a control out of scope, which hides the control from reports entirely, an exception leaves the control in reports along with your justification.
For the four exception types and the space-level settings that affect approval, read Customize Compliance.
To exclude a single check within a control while keeping the rest of the control active, see Set Exceptions on Checks.
Set an exception on one control
-
From a space, select Compliance in the side navigation, then select the framework. Scroll to the list of controls.

-
Select the control you want to except.

-
In the top-right corner, select TAKE ACTION > Set Exception.

-
Choose the exception type. For Risk Accepted, also choose a time period.
-
Write a justification. The approver will see it.
-
Select SAVE EXCEPTION.
Set an exception on several controls at once
-
From the framework's controls list, check the boxes beside the controls you want to except. A bar appears at the bottom of the page.

-
In that bar, select SET EXCEPTION.
-
Choose the exception type and time period, then provide one justification that applies to every selected control.
-
Select SAVE EXCEPTION.
Approve or reject an exception
An exception's approval flow depends on your space's exception settings. By default, an exception takes effect when it's created and a different team member approves or rejects it as an audit step. Approving keeps the exception. Rejecting removes it and re-enables the control.
-
From a space, select Compliance in the side navigation, then select the framework.
-
Select the Exceptions tab to see every exception on the framework, then select an exception to open its detail.

-
Select APPROVE to keep the exception or REJECT to remove it.
Re-enable a control
To remove an exception and re-enable its control, open the framework's Exceptions tab, select the exception to open its detail, and choose REJECT. Rejecting an exception removes it and restores the control's score.