SecAware materials

SecAware logo

2-page information security policy template about authorised exemptions to security policies.


Occasionally, there are legitimate business reasons to permit nonconformity with information security policies, procedures and controls provided the information risks remain acceptable to management.  Having an exemptions policy (plus the accompanying risk assessment and authorisation process) demonstrates stronger governance rather than selectively turning a blind eye to some nonconformities, while treating other exceptions as incidents.


Supplied as an MS Word document, readily customised for your organisation's specific situation.


Exemptions policy