2-page information security policy template about authorised exemptions to security policies or other requirements.
Occasionally, there are legitimate business reasons for management to permit nonconformity with information security policies, procedures and controls provided the information risks remain acceptable. An exemptions policy (plus the accompanying risk assessment and authorisation process) demonstrates stronger governance as opposed to selectively turning a blind eye to some nonconformities, while treating others as incidents.
Supplied as an MS Word document, readily customised for your organisation's specific situation.
top of page
bottom of page