CA-9 / PL-9 / A.5.1 / CIS-4.6 NIST SP 800-53 Rev 5

Qualifications / exceptions tracked

Demonstrate that all security policy exceptions and qualifications are formally documented, tracked in a centralized system, reviewed at defined intervals, and approved by appropriate authority.

Description

What this control does

This control ensures that all approved deviations, exceptions, and qualifications to security policies, standards, or baseline configurations are formally documented, tracked, and reviewed. Organizations maintain a centralized register or database that records the justification, scope, duration, compensating controls, and approval authority for each exception. Proper tracking prevents exceptions from becoming permanent unmanaged risks and ensures accountability when security requirements cannot be met as written.

Control objective

What auditing this proves

Demonstrate that all security policy exceptions and qualifications are formally documented, tracked in a centralized system, reviewed at defined intervals, and approved by appropriate authority.

Associated risks

Risks this control addresses

Undocumented exceptions become permanent security gaps that persist beyond their original justification
Expired exceptions remain active without re-evaluation, allowing outdated risk acceptance to continue unchecked
Attackers exploit systems with approved exceptions that lack compensating controls or adequate monitoring
Audit findings or compliance violations occur when exceptions are granted informally without proper documentation
Exception scope creep occurs when temporary deviations expand to cover additional systems or use cases without re-approval
Loss of organizational memory when personnel change leads to unknown exceptions that cannot be re-evaluated or revoked
Conflicting exceptions granted by different authorities create inconsistent security posture across similar systems

Testing procedure

How an auditor verifies this control

Request the organization's centralized exception tracking system, register, or database and determine its format and custodian
Obtain the policy or procedure governing the exception request, approval, documentation, and review process
Select a judgmental sample of 10-15 exceptions spanning different policy domains, risk levels, and approval dates
Verify each sampled exception contains required elements: requesting party, affected systems, policy deviation details, business justification, risk assessment, compensating controls, expiration date, and approver identity
Confirm that each exception was approved by personnel with documented authority commensurate with the risk level
Review evidence that active exceptions within the sample have been re-evaluated at the intervals specified in policy
Cross-reference a sample of high-risk systems or recent vulnerability findings to verify any applicable exceptions are properly documented in the tracking system
Interview exception owners and security personnel to confirm they are aware of active exceptions and associated compensating controls

Evidence required The auditor collects the exception tracking register or database export showing all active and recently expired exceptions, the exception management policy defining approval authorities and review cycles, and supporting documentation for sampled exceptions including approval emails, risk assessments, and compensating control evidence. Screenshots or reports demonstrating periodic review activities and closure of expired exceptions provide additional validation.

Pass criteria All sampled exceptions contain required documentation elements, were approved by appropriate authority, remain within their approved scope and duration, have been reviewed at policy-defined intervals, and any expired exceptions have been either renewed with fresh approval or formally closed.

Where this control is tested

Audit programs including this control

SOC 2 Vendor Evidence Check

Quick check on whether you are reviewing vendor SOC 2 reports properly — not just collecting them.