Set Exceptions on Controls

Exceptions let you exclude controls from your compliance score while documenting the reason for your team and auditors. Unlike setting a control out of scope (which hides it from reports entirely), exceptions remain visible in compliance reports along with your justification.

There are two types of exceptions:

• Risk acceptance: Temporarily exclude a control for a set time period. Use this when you intend to comply with a control eventually but don't want it affecting your score right now.
• Disable: Permanently exclude a control from your compliance score. A disabled control remains excluded unless you re-enable it.

Set an exception on a control

Note: Only team members with Editor or Owner access can perform this task.

1. In the Mondoo Console, navigate to the space you want to customize.

   

2. In the side navigation bar, select Compliance.

   

3. Select the framework you want to customize and scroll down to the list of controls.

   

4. Select the control you want to set an exception for.

   

5. In the top-right corner, select the SET EXCEPTION button.

   

6. Select the exception type: disable the control or accept the risk. If you accept the risk, choose a time period for the exception.

7. Write a justification for the exception.

8. Select the SAVE EXCEPTION button.

Set exceptions on multiple controls at once

Note: Only team members with Editor or Owner access can perform this task.

1. In the Mondoo Console, navigate to the space you want to customize.

   

2. In the side navigation bar, select Compliance.

   

3. Select the framework you want to customize and scroll down to the list of controls.

   

4. Check the boxes to the left of the controls you want to set exceptions on.

   

5. Select the SET EXCEPTION button.

   

6. Select the exception type and time period, then provide a justification. The approver will use this justification when reviewing the exception.

7. Select the SAVE EXCEPTION button.

Approve or reject an exception

Exceptions take effect immediately. However, as an extra tracking step, a team member can approve or reject an exception:

• Approve: The exception remains in place.
• Reject: The exception is removed and the control is re-enabled.

Note: Only team members with Editor or Owner access can perform this task.

1. In the Mondoo Console, navigate to the space you want to work in.

   

2. In the side navigation bar, select Compliance.

   

3. Select the framework you want to work in and scroll down to the list of controls.

   

4. Select the control with an exception you want to approve or reject.

   

5. Select the Reject button to remove the exception, or select the Approve button to keep it.

Re-enable a control

Note: Only team members with Editor or Owner access can perform this task.

1. In the Mondoo Console, navigate to the space you want to work in.

   

2. In the side navigation bar, select Compliance.

   

3. Select the framework you want to work in and scroll down to the list of controls.

   

4. Select the control you want to re-enable, then select Remove Exception and Enable.

   

---