UnixTime

Research Note

Vulnerability Exception and Risk Acceptance Record

Use this record when a vulnerability will not be remediated within the normal timeframe and requires risk-based exception approval.

On this page

When to use this

Use this record when a vulnerability will not be remediated within the normal timeframe and requires risk-based exception approval.

Exception record

Field Value
Vulnerability ID TBD
Asset/system TBD
Severity/exposure TBD
Reason remediation is delayed or not possible TBD
Compensating controls TBD
Residual risk TBD
Approved by TBD
Expiry/review date TBD
Monitoring required TBD

Minimum checks

  • Exception has a clear reason.
  • Compensating controls are defined.
  • Residual risk is approved.
  • Exception has an expiry or review date.
  • Monitoring is assigned.
  • Template
  • Iso27001
  • Technological controls
  • Vulnerability management
  • Risk acceptance

Note Metadata

Aliases: Vulnerability Risk Acceptance Record

Source: 90 Templates/Vulnerability Exception and Risk Acceptance Record.md