Set Exceptions on Controls
Add, approve, reject, and remove exceptions on compliance controls.
Exceptions exclude a control from your compliance score while documenting the reason for your team and auditors. Unlike setting a control out of scope, which hides the control from reports entirely, an exception leaves the control in reports along with your justification.
For the four exception types and the space-level settings that affect approval, read Customize Compliance.
To exclude a single check within a control while keeping the rest of the control active, see Set Exceptions on Checks.
Set an exception on one control
-
From a space, select Compliance in the side navigation, then select the framework. Scroll to the list of controls.
-
Select the control you want to except.
-
In the top-right corner, select SET EXCEPTION.
-
Choose the exception type. For Risk Accepted, also choose a time period.
-
Write a justification. The approver will see it.
-
Select SAVE EXCEPTION.
Set an exception on several controls at once
-
From the framework's controls list, check the boxes beside the controls you want to except.
-
Select SET EXCEPTION.
-
Choose the exception type and time period, then provide one justification that applies to every selected control.
-
Select SAVE EXCEPTION.
Approve or reject an exception
An exception's approval flow depends on your space's exception settings. By default, an exception takes effect when it's created and a different team member approves or rejects it as an audit step. Approving keeps the exception. Rejecting removes it and re-enables the control.
-
From the framework's controls list, select the control with the exception you want to review.
-
Select Approve to keep the exception or Reject to remove it.
Re-enable a control
-
From the framework's controls list, select the control with an exception.
-
Select Remove Exception and Enable.
