Exceptions Register · Cenedril Wiki

The exceptions register documents all approved deviations from your security policies. Every ISMS has areas where a policy cannot be fully implemented temporarily — the register makes these areas visible, time-limited and controllable.

ISO 27001 A.5.1 (Policies for Information Security) requires that policies are binding. When a deviation is unavoidable, it must be formally approved, paired with compensating controls and time-limited. The exceptions register is where you document this chain.

What does it contain?

Each row represents one approved exception. The columns:

ID / Type / Scope — unique identifier, type of deviation (e.g. Malware Protection, Access Control) and affected scope
Description / Reason — what exactly deviates and why the deviation is necessary
Compensating Controls — which alternative measures contain the residual risk
Requested By / Approved By — who requested the exception and who approved it
Granted / Expires / Status — approval date, expiry date and current status

How to use it

Request: Whoever needs a deviation from a policy documents the case in the register: which policy is affected, why the deviation is necessary and which compensating controls will be implemented.

Approval: The ISO (or executive management for far-reaching exceptions) reviews the justification and compensating controls, sets an expiry date and approves or rejects.

Monitoring: Once a quarter, review the register for expiring or expired exceptions. Expired entries are either renewed (with a fresh review) or closed — in both cases the status is updated.

ID	Typ	Geltungsbereich	Beschreibung	Begründung	Kompensierende Kontrollen	Beantragt von	Genehmigt von	Gewährt	Läuft ab	Status
EXC-2026-001	Malware-Schutz	AST-013 CI-Runner	Verzeichnis /builds/ von Echtzeit-AV-Scan ausschließen	Builds schlagen mit Scan fehl (False Positives bei Artefakten)	Wöchentlicher Offline-Scan + eingeschränkter Netzzugriff für Runner	Head of Engineering	ISB	2026-02-01	2026-08-01	Aktiv
EXC-2026-002	Web-Filter	Marketingteam (12 Nutzer)	Social-Media-Plattformen (LinkedIn Facebook Instagram X TikTok) erlauben	Geschäftlicher Bedarf für Social-Media-Kampagnen	DLP-Scan ausgehend + Schulung	Marketingleitung	ISB	2026-01-15	2027-01-15	Aktiv
EXC-2026-003	Malware-Schutz	AST-006 (3 Entwickler-Laptops)	Docker Desktop Cache-Verzeichnisse ausschließen	EDR-Konflikte mit Containern	EDR-Richtlinie mit Docker-Regeln + Netzwerk-Monitoring	Head of Engineering	ISB	2026-03-01	2026-09-01	Aktiv
EXC-2026-004	Web-Filter	Threat-Intel-Analyst (1 Nutzer)	Zugriff auf Malware-Analyse-Sandboxes und Untergrundforen erlauben	Bedrohungsforschung	Isolierte Forschungs-VM + geloggt	ISB	ISB + CEO	2026-01-01	2026-12-31	Aktiv
EXC-2026-005	Passwortrichtlinie	Legacy-ERP-Schnittstelle	Passwortlänge von 10 statt 14 Zeichen erlauben	System unterstützt keine längeren Passwörter	Kontosperre nach 5 Fehlversuchen + MFA auf Jump-Host	IT-Betriebsleitung	ISB	2025-11-01	2026-11-01	Aktiv
EXC-2026-006	Web-Filter	Finanzteam (4 Nutzer)	Zugriff auf Banking-Portale erlauben	Geschäftlicher Bedarf	Überwacht + DLP-Regeln	CFO	ISB	2026-01-01	2027-01-01	Aktiv

ID	Type	Scope	Description	Reason	Compensating Controls	Requested By	Approved By	Granted	Expires	Status
EXC-2026-001	Malware protection	AST-013 CI runners	Exclude /builds/ directory from real-time AV scan	Builds fail with scan enabled (false positives on artefacts)	Weekly offline scan + limited network access for runners	Head of Engineering	ISO	2026-02-01	2026-08-01	Active
EXC-2026-002	Web filter	Marketing team (12 users)	Allow social media platforms (LinkedIn Facebook Instagram X TikTok)	Business need for social media campaigns	DLP scan outbound + training	Marketing Lead	ISO	2026-01-15	2027-01-15	Active
EXC-2026-003	Malware protection	AST-006 (3 developer laptops)	Exclude Docker Desktop cache directories	EDR conflicts with containers	EDR policy with Docker-aware rules + network monitoring	Head of Engineering	ISO	2026-03-01	2026-09-01	Active
EXC-2026-004	Web filter	Threat Intel analyst (1 user)	Allow access to malware analysis sandboxes and underground forums	Threat research	Isolated research VM + logged	ISO	ISO + CEO	2026-01-01	2026-12-31	Active
EXC-2026-005	Password policy	Legacy ERP interface	Allow password length of 10 chars instead of 14	System does not support longer passwords	Account lockout after 5 failed attempts + MFA on jump host	IT Operations Lead	ISO	2025-11-01	2026-11-01	Active
EXC-2026-006	Web filter	Finance team (4 users)	Allow banking portals	Business need	Monitored + DLP rules	CFO	ISO	2026-01-01	2027-01-01	Active

Sources

ISO/IEC 27001:2022 A.5.1 — Policies for Information Security
ISO/IEC 27002:2022 Section 5.1 — Guidance on implementing information security policies

Frequently asked questions

When do I need an exception?

Whenever a security policy cannot be fully met in a specific case for technical or business reasons on a temporary basis. Typical examples: malware scanner interfering with build processes, legacy system without MFA capability, test environment with relaxed network rules. Every exception needs a documented justification, compensating controls and an expiry date.

How long may an exception last?

As short as possible. In practice, three to six months work well, with a mandatory renewal review. Open-ended exceptions are an audit finding because they effectively override the policy.

Who approves exceptions?

Typically the ISO or executive management — depending on the scope. The CSV template has columns for Requested By and Approved By. The key is that the approver consciously accepts the residual risk and documents the decision.