When to use this
Use this record when a vulnerability will not be remediated within the normal timeframe and requires risk-based exception approval.
Related controls
Exception record
| Field | Value |
|---|---|
| Vulnerability ID | TBD |
| Asset/system | TBD |
| Severity/exposure | TBD |
| Reason remediation is delayed or not possible | TBD |
| Compensating controls | TBD |
| Residual risk | TBD |
| Approved by | TBD |
| Expiry/review date | TBD |
| Monitoring required | TBD |
Minimum checks
- Exception has a clear reason.
- Compensating controls are defined.
- Residual risk is approved.
- Exception has an expiry or review date.
- Monitoring is assigned.
- Template
- Iso27001
- Technological controls
- Vulnerability management
- Risk acceptance
Note Metadata
Aliases: Vulnerability Risk Acceptance Record
Source: 90 Templates/Vulnerability Exception and Risk Acceptance Record.md
Related Notes
- Risk Assessment
- Statement of Applicability
- A.8.8 Audit Evidence Pack
- ISO 27001 A.8.8 - Management of Technical Vulnerabilities
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Implementation Audit Risk Mapping
- A.8.8 Audit Checklist
- Templates MOC