Exception to the rule

Steve Macmillan

When running workshops with customers to develop and deliver IT policies, we often encounter situations where full adherence to a policy statement is not practical or feasible. In these situations an exceptions register can be a valuable tool as it provides a structured mechanism for managing and documenting deviations from policies.

An exceptions register enables you to document the specific circumstances or business requirements that necessitate an exception and may detail alternative approaches that were considered but deemed not practical or less effective.

The register can be used as the formal mechanism for obtaining approval and authorisation for exceptions. Sign off can be obtained from IT management, governance and compliance roles, or other relevant stakeholders.

Once the exceptions register is in use and being populated it also provides a means to track and monitor each exception lifecycle, and drive accountability and governance.

Some steps to consider when it is determined that a policy statement cannot be fully complied with are:

  • Assess why compliance may be a challenge - is it resource constraints, technical limitations, a regulatory issue, or business need etc?
  • Communicate with relevant stakeholders and affected individuals or departments as to why full compliance is not currently feasible or realistic, and detail any mitigating factors or alternative approaches that have been considered.
  • Document the rationale and justifications in an exceptions register. The specific circumstances or constraints that prevent full compliance should be outlined along with details of any compensating measures or alternative controls being implemented.
  • Are there any risk management measures required to mitigate the risks associated with non-compliance? – if yes, then identify, document and prioritise those risks based on their severity and potential impact on the organisation. Devise and implement mitigation strategies to address them effectively.
  • Continuously monitor and review the situation over time to ensure that any exceptions remain justified and risks are adequately managed.
  • Engage with the owners or stakeholders of the policy to discuss any potential modifications or revisions that could accommodate your organisation's needs or constraints while still achieving the intended policy objectives. Collaboration may allow for a mutually agreeable solution to be put in place that balances compliance requirements with practical considerations.

What is the relationship between an exceptions register and a risk register?

Exceptions recorded in the register may also be evaluated as potential security risks and therefore they should be included as security risks in the risk register. This should ensure that security teams proactively address exceptions that could compromise the confidentiality, integrity, or availability of sensitive information or systems. Conversely some security risks identified in the risk register may result in exceptions being entered in the exceptions register. For example, a software system in use may have a known vulnerability leading to an exception being granted for delaying the installation of a security patch.

Both registers play a key role in ensuring that security risks are identified, managed, and mitigated effectively to safeguard organisational assets and data against potential threats and vulnerabilities.

Policy Management as a Service incorporates an exceptions register that can be exported to CSV, plus a range of other useful functions that help customers manage the lifecycle of their IT policies.

Click below to download our latest infographic on frequently asked questions around managing content and users with PMaaS.

Infographic - Managing Content and Users with Policy Management as a Service

Download Infographic

April enhancement release

Our April 2024 enhancement release will go live on or before 30th April, click here to view details on the enhancements.

Join us at upcoming events!

We're excited to announce our participation in two upcoming events:

Digi Gov Expo 2024 
Date: May 8-9 
Location: ExCel London, UK - Booth No. A3
Join us at the UK's premier public sector tech event! Explore cutting-edge technology, network with industry leaders, and stay ahead of tech trends. 

Charity Times Leadership Conference 
Date: May 8
Location: Waldorf Hilton Hotel, UK
Discover strategies for long-term survival in the charity sector. Gain insights from experts, network with peers, and explore innovative solutions for your organization's digital landscape. 

If you are attending, stop by our stand and have a chat with our Team about how we are helping organisations navigate the complexities of developing, delivery and maintaining IT policies whilst adhering to best practice guidance such as ISO,PCI, CE. Look forward to meeting you there!


Contact Us Today

Fill in the form or call us on (UK) +44 845 241 0099 or (NZ) +64 9 570 2233