ComplianceCustomize Compliance

Set Exceptions on Controls

Add, approve, reject, and remove exceptions on compliance controls.

Exceptions exclude a control from your compliance score while documenting the reason for your team and auditors. Unlike setting a control out of scope, which hides the control from reports entirely, an exception leaves the control in reports along with your justification.

For the four exception types and the space-level settings that affect approval, read Customize Compliance.

To exclude a single check within a control while keeping the rest of the control active, see Set Exceptions on Checks.

Set an exception on one control

Only team members with Editor or Owner access can perform this task.
  1. From a space, select Compliance in the side navigation, then select the framework. Scroll to the list of controls.

    Compliance framework in the Mondoo App

  2. Select the control you want to except.

    Control in the Mondoo App

  3. In the top-right corner, select TAKE ACTION > Set Exception.

    Set an exception on a compliance control

  4. Choose the exception type. For Risk Accepted, also choose a time period.

  5. Write a justification. The approver will see it.

  6. Select SAVE EXCEPTION.

Set an exception on several controls at once

Only team members with Editor or Owner access can perform this task.
  1. From the framework's controls list, check the boxes beside the controls you want to except. A bar appears at the bottom of the page.

    Select multiple controls

  2. In that bar, select SET EXCEPTION.

  3. Choose the exception type and time period, then provide one justification that applies to every selected control.

  4. Select SAVE EXCEPTION.

Approve or reject an exception

An exception's approval flow depends on your space's exception settings. By default, an exception takes effect when it's created and a different team member approves or rejects it as an audit step. Approving keeps the exception. Rejecting removes it and re-enables the control.

Only team members with Editor or Owner access can perform this task.
  1. From a space, select Compliance in the side navigation, then select the framework.

  2. Select the Exceptions tab to see every exception on the framework, then select an exception to open its detail.

    Approve or reject an exception on a compliance control

  3. Select APPROVE to keep the exception or REJECT to remove it.

Re-enable a control

To remove an exception and re-enable its control, open the framework's Exceptions tab, select the exception to open its detail, and choose REJECT. Rejecting an exception removes it and restores the control's score.

On this page