Exception Management

Having a process for managing exceptions is an important part of any Compliance program, and a critical aspect of certain frameworks like ISO 27001.

Comply provides an Exceptions tool to keep track of authorized, temporary deviations from your standard policies, controls, and procedures, which you may need to show your auditor.

You can find the Exception index under the GRC tab --> Exceptions.


Exception Behavior

The key elements of an Exception are:

  • Name
  • Description
  • Status (Active / Inactive / Expired)
  • Expiration Date
  • Authorization Date (the date the Exception was first created)
  • Authorized By (the individual who created or last re-activated the Exception)


Who's authorized to create Exceptions?

Because Exceptions exist to identify deviations from your standard Polices, Controls, and Procedures, only Account Owners and Comply Owners can create Exceptions.

Exceptions default to being in the Active state, unless manually marked as Inactive, or until the Expiration Date is reached, at which point they become Expired.

Tying Exceptions to Automations

Optionally, Exceptions can be tied to Automations. When you tie an Exception to an Automation, you are essentially "suppressing" the automation for a given set of Assets. Specifically:

  • Assets that would otherwise have created an Issue for a given automation don't create issues,
  • The evidence generated from these assets is created with an Excepted condition.

This can serve as a handy way of "turning off" an integration for a limited number of assets.

To tie an Exception to an Automation, simply select an Automation when creating the Exception, and list the specific assets that should be carved out: