Customize Compliance
Tailor Mondoo's compliance assessment to your audit by setting scope, defining exceptions, and adjusting the approval workflow.
Every audit is different. Mondoo lets you customize which controls and checks factor into your compliance score, so the data you show your auditor reflects what you've actually agreed to be assessed on.
You have three levers:
| Lever | What it does | When to use it |
|---|---|---|
| Define scope | Removes a control from your score and from generated reports. | Your auditor has confirmed a control is not applicable to your organization. |
| Exception on a control | Removes a control from your score but keeps it in reports with your justification. | You want auditor visibility into why a control is excluded. |
| Exception on a check | Excludes a single check while the rest of the control stays active. | Most of a control applies, but one specific check doesn't. |
The four exception types
Both control and check exceptions use the same four types as security findings:
| Exception type | What happens | When to use it |
|---|---|---|
| Risk Accepted | Control or check is excluded from the score | You know about the gap and plan to fix it later. |
| Workaround | Control or check is excluded from the score | A compensating control is in place that mitigates the need to address this directly. |
| False Positive | Control or check is excluded from the score | The finding is inaccurate or doesn't apply to your environment. |
| Disable | Control or check is excluded permanently | The control or check is causing stability or performance impact and you want to skip it. |
Space-level exception settings
Each space has three settings that shape how exceptions behave. The defaults favor fast iteration; tightening them adds governance and review.
| Setting | Default | What changes when toggled |
|---|---|---|
| Immediately apply created exceptions | On | When off, new exceptions start in a pending state and don't apply until a team member with Editor or Owner access approves them. |
| Allow non-expiring exceptions | On | When off, every exception must have an expiration date. |
| Allow users to approve their own exceptions | Off | When on, the same user who creates an exception can also approve it. By default, a different team member must approve. |
The approval history gives you a clear audit trail regardless of which settings you choose. These settings apply to both compliance and security exceptions.
See also
For how individual findings contribute to risk and how scoring works under the hood, read How Mondoo Scores and Prioritizes Findings.