Exception process for unpatchable systems
Demonstrate that all unpatchable systems are formally identified, documented with business justification, protected by compensating controls, and approved through a risk acceptance process by authorized stakeholders.
Description
What this control does
This control establishes a formal exception and risk acceptance process for systems that cannot be patched due to technical constraints, vendor support limitations, or operational requirements. When vulnerabilities cannot be remediated through standard patching, the organization must document the business justification, implement compensating controls (such as network segmentation, enhanced monitoring, or application whitelisting), and obtain risk acceptance from authorized stakeholders. The process ensures unpatchable systems remain visible to security teams and receive alternative protections rather than becoming unknown or unmanaged risk vectors.
Control objective
What auditing this proves
Demonstrate that all unpatchable systems are formally identified, documented with business justification, protected by compensating controls, and approved through a risk acceptance process by authorized stakeholders.
Associated risks
Risks this control addresses
- Unpatched vulnerabilities in legacy systems are exploited by attackers to gain initial access or establish persistence
- Unpatchable systems become pivot points for lateral movement due to insufficient network segmentation or access controls
- Known exploits targeting outdated software versions are used to exfiltrate sensitive data from unsupported systems
- Compensating controls are not implemented or fail, leaving critical business systems exposed without alternative protection mechanisms
- Exception approvals expire without renewal, resulting in forgotten systems that accumulate critical vulnerabilities over time
- Lack of enhanced monitoring on unpatchable systems prevents detection of exploitation attempts and successful compromises
- Business justification for maintaining legacy systems becomes invalid but exception remains active, creating unnecessary risk exposure
Testing procedure
How an auditor verifies this control
- Obtain the organization's documented exception process for unpatchable systems including approval workflows, compensating control requirements, and exception duration policies
- Request an inventory of all active exceptions for unpatchable systems including system identifiers, software versions, vulnerability details, and approval dates
- Select a representative sample of 8-12 exception records spanning different business units, criticality levels, and exception ages
- Review each sampled exception for completeness of business justification, documented compensating controls, approved timeline, and authorized stakeholder signatures
- Verify that documented compensating controls are actually deployed by examining network segmentation rules, monitoring configurations, access control lists, or endpoint protection settings for sampled systems
- Cross-reference the exception inventory against vulnerability scanning results to confirm identified unpatchable systems appear in security tool outputs and verify no additional unpatched systems exist without formal exceptions
- Validate that exceptions approaching or past their expiration dates have documented re-approval or remediation plans including decommissioning schedules or upgrade paths
- Interview IT operations and security personnel to confirm awareness of unpatchable systems, understanding of compensating controls, and adherence to exception renewal procedures
Where this control is tested