Set Exceptions on Controls

Exceptions let you exclude controls from your compliance score while documenting the reason for your team and auditors. Unlike setting a control out of scope (which hides it from reports entirely), exceptions remain visible in compliance reports along with your justification.

Compliance controls support the same four exception types as security findings:

• Risk Accepted: You're aware of the risk and plan to address the control at a later date. The control no longer impacts the compliance score.
• Workaround: A compensating control is in place that mitigates the need to address the control directly. The control no longer impacts the compliance score.
• False Positive: The control is inaccurate or doesn't apply to your environment. The control no longer impacts the compliance score.
• Disable: Permanently exclude the control. Use when you want to avoid the stability or performance impact of evaluating it.

Set an exception on a control

Note: Only team members with Editor or Owner access can perform this task.

1. In the Mondoo Console, navigate to the space you want to customize.

   

2. In the side navigation bar, select Compliance.

   

3. Select the framework you want to customize and scroll down to the list of controls.

   

4. Select the control you want to set an exception for.

   

5. In the top-right corner, select the SET EXCEPTION button.

   

6. Select the exception type (Risk Accepted, Workaround, False Positive, or Disable). For Risk Accepted, choose a time period for the exception.

7. Write a justification for the exception.

8. Select the SAVE EXCEPTION button.

Set exceptions on multiple controls at once

Note: Only team members with Editor or Owner access can perform this task.

1. In the Mondoo Console, navigate to the space you want to customize.

   

2. In the side navigation bar, select Compliance.

   

3. Select the framework you want to customize and scroll down to the list of controls.

   

4. Check the boxes to the left of the controls you want to set exceptions on.

   

5. Select the SET EXCEPTION button.

   

6. Select the exception type and time period, then provide a single justification that applies to all selected controls. The approver will use this justification when reviewing the exception.

7. Select the SAVE EXCEPTION button.

Approve or reject an exception

Exceptions take effect immediately. However, as an extra tracking step, a team member can approve or reject an exception:

• Approve: The exception remains in place.
• Reject: The exception is removed and the control is re-enabled.

Note: Only team members with Editor or Owner access can perform this task.

1. In the Mondoo Console, navigate to the space you want to work in.

   

2. In the side navigation bar, select Compliance.

   

3. Select the framework you want to work in and scroll down to the list of controls.

   

4. Select the control with an exception you want to approve or reject.

   

5. Select the Reject button to remove the exception, or select the Approve button to keep it.

Re-enable a control

Note: Only team members with Editor or Owner access can perform this task.

1. In the Mondoo Console, navigate to the space you want to work in.

   

2. In the side navigation bar, select Compliance.

   

3. Select the framework you want to work in and scroll down to the list of controls.

   

4. Select the control you want to re-enable, then select Remove Exception and Enable.

   

---