5 components
required for a valid security policy exception: policy citation, justification, compensating control, named risk acceptor with appropriate authority, and a fixed expiration date
90 days
maximum initial exception duration for most security policy exceptions -- longer durations should require additional justification and a higher-authority risk acceptor
40%
of organizations that conduct exception audits find exceptions that have expired without review, meaning the original risk acceptance is no longer valid but the exception is still being treated as active
2 tiers
of approval authority that prevent both bottlenecks and rubber-stamping: security team approval for compensating-control-covered exceptions, business leadership approval for exceptions accepting residual risk without compensating controls

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

A security policy exception process fails in two predictable ways. The first failure: the process requires so many approvals, so much documentation, and so many review cycles that engineering teams learn to work around it -- they simply do not request exceptions and operate out of policy while hoping nobody asks. The second failure: the process is so lightweight (send a Slack message, get a thumbs-up) that it provides no accountability, no documentation, and no tracking -- every request is approved, nothing is reviewed, and exceptions accumulate indefinitely.

Both failures produce the same outcome: the security policy is notionally in effect but practically ineffective, because the exception process is not functioning as a risk accountability mechanism.

The exception process that works occupies the middle ground: five documented components per exception, two approval tiers that route exceptions to the appropriate authority without creating bottlenecks, compensating controls that reduce residual risk during the exception period, and a tracking mechanism with enforced expiration. This guide covers each of these components and the metrics that tell you whether your exception process is functioning.

The Five Required Components of a Valid Security Policy Exception

An exception request that does not include all five components should be returned to the requester, not approved with missing information filled in by the approver.

1. Policy citation. Which specific policy requirement is the exception for? Cite the policy document name and section (e.g., "Information Security Policy, Section 4.3: Endpoint Encryption"). Vague exceptions ("exception to the security policy") cannot be tracked, audited, or expired correctly. A specific policy citation also ensures the requester has read the policy they are requesting an exception to, which occasionally results in them realizing the policy does not actually apply to their situation.

2. Business justification. Why is full policy compliance not currently achievable? Valid justifications include: a technical constraint the team cannot resolve without a dependency outside their control (a third-party vendor that does not support the required encryption standard), a timeline constraint where compliance requires migration work that is planned but not yet complete, or a new system that was deployed before the policy was updated to cover it. "It is inconvenient" and "we have not prioritized it" are not valid justifications. If the team simply has not prioritized compliance, the exception process should not provide cover for continued deprioritization.

3. Compensating controls. What controls are in place to reduce the risk created by the policy deviation during the exception period? A system that cannot meet the encryption-at-rest requirement because the database product does not support it should have compensating controls: network isolation preventing direct database access from untrusted networks, enhanced access logging for all database queries, and encryption in transit for all connections to the database. Compensating controls are documented, verifiable, and explicitly accepted as part of the exception.

4. Named risk acceptor. Who is accepting the residual risk on behalf of the organization? The appropriate authority depends on the risk level: for policy deviations with compensating controls that substantially mitigate the risk, the security team lead or CISO can be the risk acceptor. For policy deviations with significant residual risk or no available compensating controls, the business unit VP or CTO should be the risk acceptor. The risk acceptor's name and title must be documented -- anonymous risk acceptance is not accountability.

5. Expiration date. When does the exception expire? All exceptions must have a defined expiration date, maximum 90 days for the initial grant. Exceptions that require longer duration (a multi-year migration project) require renewal at each 90-day interval with updated justification, updated compensating control verification, and renewed risk acceptor sign-off.

The Two-Tier Approval Model: Routing Without Bottlenecks

A single-tier approval model (all exceptions go to the CISO) creates a bottleneck that produces either rubber-stamping (the CISO approves everything without meaningful review because the volume is too high) or excessive delay (exceptions sit in queue while business work stops). A two-tier model routes exceptions to the appropriate authority by risk level.

Tier 1: Security team approval (lower-residual-risk exceptions). Criteria: the exception is for a policy deviation that is fully covered by documented compensating controls that the security team has verified as operational, and the exception duration is 90 days or less. Approval authority: security team lead or designated security engineer. Review time target: 3 business days. These are routine operational exceptions -- a legacy system being migrated to a compliant configuration, a development environment temporarily exceeding policy while awaiting infrastructure provisioning.

Tier 2: Business leadership approval (higher-residual-risk exceptions). Criteria: the exception involves residual risk that is not fully mitigated by compensating controls, the exception duration exceeds 90 days, the deviation affects systems that process regulated data (PII, PHI, cardholder data), or the policy deviation affects a system with broad organizational access. Approval authority: business unit VP or CTO with security team concurrence. Review time target: 5 business days. These are exceptions where a business leader is explicitly accepting risk on behalf of the organization -- the documentation should reflect that explicitly.

The tier determination is made by the security team upon receiving the exception request. The requester does not self-select their tier. This prevents requesters from deliberately understating risk to get Tier 1 approval.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Compensating Controls: What Counts and What Does Not

The compensating control requirement is where most exception processes fail -- either because no compensating control is required (producing pure risk acceptance with no mitigation), or because the compensating controls accepted are vague and unverifiable ("we will be more careful").

A valid compensating control is specific, verifiable, and actively reduces the residual risk during the exception period. For each compensating control in an exception, the security team should be able to answer: how will we verify this control is in place and functioning, and what is the alert if it fails?

Examples of valid compensating controls for common policy deviations:

For an encryption-at-rest gap: Network isolation (the unencrypted system is not reachable from outside a specific VLAN), access log monitoring (all database queries logged and reviewed for anomalies), enhanced authentication (multi-factor authentication required for all access to the system).

For a patch SLA breach (system running software beyond the approved vulnerability age): Firewall rule restricting the system to minimum required network connectivity, enhanced vulnerability scanning frequency (daily rather than weekly), monitoring of CISA KEV for the specific software version.

For a missing vulnerability scan coverage gap: Manual review by a security engineer on a defined schedule, additional logging of all connections to the uncovered system, and an expedited timeline for bringing the system into scan coverage.

Controls that do not qualify: "we will monitor the situation," "the team is aware of the risk," "we plan to fix it soon." These are not controls. They are statements of intent that provide no actual risk reduction.

Exception Expiration and the Review Cadence That Prevents Accumulation

The most common exception process failure that auditors find: exceptions that expired without review are still being treated as active. The original risk acceptor may have left the company. The compensating controls may no longer be operational. The system the exception covered may have changed significantly. But the exception record says "approved" and nobody has revisited it.

The technical mechanism that prevents this: exception expiration should trigger an automated workflow, not a calendar reminder. In Jira, ServiceNow, or equivalent ITSM: configure the exception ticket to automatically transition to "pending renewal" 14 days before the expiration date, assign a review task to the exception owner, and escalate to the security team if not renewed or explicitly closed within 7 days of expiration.

The renewal review for each exception should confirm three things: the compensating controls are still in place and operational (verified, not assumed), the business justification is still valid (if the system has been migrated to compliance, the exception should be closed rather than renewed), and the risk acceptor is still the appropriate authority for the current risk level.

An exception that is renewed more than twice without progress toward policy compliance is a signal that the exception is functioning as a permanent workaround rather than a temporary accommodation. At the third renewal, require the Tier 2 approval authority to explicitly acknowledge that this is an indefinite deviation and document the long-term risk treatment plan. This prevents exception accumulation without forcing immediate compliance where genuine constraints exist.

Exception Tracking and the Metrics That Indicate Process Health

The exception register is the operational artifact of the exception process. It is a list of all active exceptions, their components, their status, and their expiration dates. The register should be queryable by: system or application, policy section, risk acceptor, expiration date, and approval tier.

The register should be reviewed at the security team level monthly and by the CISO quarterly. The CISO review should surface: the oldest open exceptions (any exception older than 6 months warrants specific attention), exceptions with the highest residual risk (Tier 2 exceptions with limited compensating controls), and exceptions approaching expiration that have not yet been assigned a renewal review.

Three metrics indicate whether the exception process is functioning as an accountability mechanism rather than a workaround channel:

Exception closure rate. What percentage of exceptions are closed (compliance achieved or system decommissioned) versus renewed at expiration? A healthy process closes 30 to 50% of exceptions at first expiration as the underlying issue is resolved. A process where 90% of exceptions are renewed indefinitely indicates that exceptions are functioning as permanent accommodations.

Average exception age. The average age of active exceptions in the register. For a mature process, the average should be under 90 days. An increasing average exception age indicates accumulation without resolution.

Compensating control failure rate. How often does the security team verify that compensating controls are no longer operational? Each verification failure should trigger immediate escalation: the exception was granted based on specific risk reduction measures, and if those measures are no longer in place, the residual risk is higher than was accepted. Tracking this metric tells you whether compensating controls are being treated as live requirements or paper commitments.

When to Deny an Exception Request

Not every exception request should be approved. The exception process should have explicit denial criteria that prevent the process from becoming a universal approval channel.

Deny when: the business justification is "we have not prioritized this" without a remediation plan and timeline, the compensating controls proposed do not actually reduce the risk created by the deviation, the exception would cover a system that processes regulated data without Tier 2 approval, or the same team is requesting a third or subsequent renewal without meaningful progress toward compliance.

The denial process should be documented as clearly as the approval process: the exception request should receive a written response explaining why it was denied and what is required for a future approval. "Denied" without explanation does not help the requester understand what to do next -- which often results in them operating out of policy without an exception rather than improving the request.

For exception requests that reveal a policy that is systematically non-compliant across the organization (the same exception being requested by multiple teams for the same reason), the correct response may be to update the policy rather than approve a wave of exceptions. If a policy was written without accounting for a common operational scenario and teams are regularly requesting exceptions for that scenario, the policy should be revised to address it -- either by including the scenario explicitly or by establishing a standard compensating control framework that teams can adopt without individual exception requests.

The bottom line

A security policy exception process that works maintains accountability without creating friction that encourages workarounds. The five required components -- policy citation, business justification, compensating controls, named risk acceptor, and expiration date -- provide the documentation needed for audit and accountability. The two-tier approval model routes exceptions to the appropriate authority by risk level without creating bottlenecks. The 90-day maximum expiration with automated renewal workflows prevents exceptions from accumulating indefinitely without review. The three process health metrics -- closure rate, average exception age, and compensating control failure rate -- tell you whether exceptions are functioning as temporary accommodations or as permanent workarounds. The goal is not zero exceptions. It is exceptions that represent genuinely managed risk rather than unmanaged policy deviations operating under a cover of documented approval.

Frequently asked questions

What should a security policy exception request include?

Five components are required: the specific policy document and section being excepted (not a vague 'exception to security policy'), the business justification for why immediate compliance is not achievable, the compensating controls in place to reduce residual risk during the exception period, the named risk acceptor with their title and authority level, and a fixed expiration date (maximum 90 days for an initial exception). An exception request missing any of these components should be returned to the requester rather than approved with gaps filled in by the approver.

What is a compensating control in a security policy exception?

A compensating control is a specific, verifiable security measure that reduces the risk created by the policy deviation during the exception period. For an encryption-at-rest gap: network isolation plus access log monitoring. For a patch SLA breach: firewall restrictions to minimum required connectivity plus enhanced scanning frequency. A compensating control must be specific enough that the security team can verify it is in place and operational. 'We will be more careful' and 'the team is aware of the risk' are not compensating controls -- they are statements of intent with no risk reduction value.

How long should a security policy exception last?

Initial exceptions should not exceed 90 days. Longer-duration exceptions (for multi-year migration projects) require renewal at each 90-day interval with updated justification, verified compensating controls, and renewed risk acceptor sign-off. An exception renewed more than twice without compliance progress signals that the exception is functioning as a permanent workaround -- at the third renewal, require explicit acknowledgment from the Tier 2 authority and a documented long-term risk treatment plan.

Who should have authority to approve a security policy exception?

Use a two-tier model based on residual risk level. Tier 1 (security team lead or designated security engineer): exceptions where compensating controls fully mitigate the risk, duration is 90 days or less, and the system does not process regulated data. Tier 2 (business unit VP or CTO with security team concurrence): exceptions with significant residual risk not fully covered by compensating controls, duration exceeding 90 days, systems processing PII, PHI, or cardholder data, or systems with broad organizational access. The security team determines the tier upon receiving the request -- requesters do not self-select.

How do I prevent security policy exceptions from accumulating indefinitely?

Three mechanisms prevent indefinite accumulation: configure automated expiration workflows (the exception ticket transitions to 'pending renewal' 14 days before expiration, with escalation to the security team if not renewed or closed within 7 days of expiration), require renewal reviews that verify compensating controls are still operational and the business justification is still valid rather than automatic rollovers, and apply additional scrutiny to exceptions renewed more than twice -- requiring Tier 2 approval and a documented long-term remediation plan. Track average exception age as a monthly metric; a rising average indicates accumulation.

When should I deny a security policy exception request?

Deny when: the justification is 'we have not prioritized this' without a remediation plan and timeline, the proposed compensating controls do not actually reduce the risk created by the deviation, the exception covers a system processing regulated data without Tier 2 approval, or the same team is requesting a third or subsequent renewal without meaningful compliance progress. Provide a written denial explanation that specifies what is required for a future approval -- a denial without explanation often results in the team operating out of policy without an exception rather than addressing the gap.

What metrics indicate whether my security policy exception process is healthy?

Three metrics: exception closure rate (what percentage of exceptions are closed by achieving compliance or decommissioning the system versus renewed at expiration -- healthy processes close 30 to 50% at first expiration), average exception age (should be under 90 days for a mature process -- rising average indicates accumulation), and compensating control failure rate (how often the security team verifies that compensating controls are no longer operational during the exception period -- each failure should trigger immediate escalation, and the metric's existence creates accountability for controls being maintained, not just documented).

Sources & references

  1. NIST SP 800-53: Security and Privacy Controls
  2. ISO 27001:2022: Information Security Management Systems
  3. ISACA: Risk IT Framework
  4. CIS Controls v8: Implementation Group Guidance
  5. SANS: Building an Effective Security Exception Management Program

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.