Customize Compliance - Overview
Customize how Mondoo assesses your compliance by defining scope and setting exceptions on controls and checks
Because every organization has unique needs, Mondoo lets you customize which controls and checks factor into your compliance score. This keeps your team focused on what matters and ensures your compliance data accurately reflects your audit requirements.
Mondoo offers three ways to customize compliance:
Define scope
If a control isn't part of your compliance audit, you can set it out of scope. Out-of-scope controls are excluded from your compliance score and hidden from generated reports entirely.
Use scope to remove controls that your auditor has confirmed are not applicable to your organization.
Set exceptions on controls
Exceptions on controls let you exclude a control from your compliance score while still documenting the decision for your team and auditors. Compliance controls support the same four exception types as security findings:
- Risk Accepted: Temporarily exclude a control while your team works toward meeting it.
- Workaround: A compensating control is in place that mitigates the need to address this control directly.
- False Positive: The control is inaccurate or doesn't apply to your environment.
- Disable: Permanently exclude a control that doesn't apply to your space.
Unlike scope, exceptions appear in your compliance reports with the justification you provide, giving your auditor visibility into the decision.
Set exceptions on checks
You can also set exceptions on individual checks within a control. This is useful when a control is mostly relevant but a specific check doesn't apply to your environment. Check exceptions support the same four types as control exceptions but apply at a more granular level.
A check exception applies to the entire space. Because checks live in policies, a check exception impacts all compliance frameworks that use that check.
Choosing the right approach
| Goal | Approach |
|---|---|
| Hide a control from your auditor entirely | Set out of scope |
| Exclude a control but show justification in reports | Set an exception on the control |
| Exclude a specific check but keep the rest of the control | Set an exception on the check |
| Defer work on a control to a later date | Accept the risk with a time period |
For details on how individual findings contribute to risk and how scoring works underneath compliance frameworks, read How Mondoo Prioritizes Security Findings.