Set Exceptions on Controls

Exceptions let you customize how Mondoo evaluates your compliance with a framework and communicate the reasons for that customization.

Exceptions tell Mondoo to exclude certain controls when calculating your progress toward full compliance. There are two types of exceptions for controls:

• Risk Acceptance: Temporarily exclude control results from your overall compliance progress percentage. Risk acceptance is useful when you intend to comply with a control eventually but don't want it distracting your team right now. You can write a note justifying the delay to your team and your auditor.

• Disable Permanently exclude a control from your compliance score and explain this exclusion to team. A control remains disabled unless you re-enable it.

tip

To exclude a control entirely from the compliance report to your auditor, set it out of scope.

tip

You can also set exceptions on individual checks within a control. To learn more, read Set Exceptions on Checks.

Set exceptions on a control

note

Only team members with Editor or Owner access can perform this task.

1. In the Mondoo Console, navigate to the space you want to customize.

   

2. In the side navigation bar, select Compliance

   

3. Select the framework you want to customize and scroll down to the list of controls.

   

4. Select the control you want to set an exception for. Mondoo displays a page with control details.

   

5. In the top-right corner, select the SET EXCEPTION button.

   

6. Select the exception type.

   Select to either disable the control or accept the risk. When you accept the risk, you can choose to skip the control for a specific time period.

7. Write a justification for the exception.

8. Select the SAVE EXCEPTION button.

Setting multiple exceptions on controls at once

note

Only team members with Editor or Owner access can perform this task.

1. In the Mondoo Console, navigate to the space you want to customize.

   

2. In the side navigation bar, select Compliance

   

3. Select the framework you want to customize and scroll down to the list of controls.

   

4. Check the boxes to the left of the controls you want to snooze or disable.

   

5. Select the SET EXCEPTION button.

   

6. Select the exception type.

   Select to either disable the control or accept the risk. When you accept the risk, you can choose to skip the control for a specific time period.

7. Write a justification for the exception.

8. Select the SAVE EXCEPTION button.

Approve or reject an exception

Exceptions take effect the moment they're added. However, as an extra tracking step, a team member can approve or reject an exception:

• Approving an exception allows it to remain.

• Rejecting an exception removes it and re-enables the control.

note

Only team members with Editor or Owner access can perform this task.

To approve or reject an exception:

1. In the Mondoo Console, navigate to the space you want to work in.

   

2. In the side navigation bar, select Compliance.

   

3. Select the framework you want to work in and scroll down to the list of controls.

   

4. Select the control with an exception you want to approve or reject.

   

5. Select the Reject button to remove the exception, or select the Approve button to keep the exception with your approval.

Re-enable a control

note

Only team members with Editor or Owner access can perform this task.

1. In the Mondoo Console, navigate to the space you want to work in.

   

2. In the side navigation bar, select Compliance.

   

3. Select the framework you want to work in and scroll down to the list of controls.

   

4. Select the control you wish to enable and select Remove Exception and Enable.

   

---