An exemption is appropriately granted when adherence to a specific security policy or control would not be feasible, such as when it would interfere with operational requirements or when the associated cost far outweighs the benefit. It is not a means to avoid implementing security measures altogether but a considered decision that requires approval by the appropriate level of management. The approval process must include an understanding of the potential risks and agreement that such risks are acceptable. This distinguishes exemptions from other risk strategies, like mitigation where risks are reduced, or transference where risks are shared.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What factors should be considered when deciding to grant an exemption?
Open an interactive chat with Bash
How does an exemption differ from risk mitigation?
Open an interactive chat with Bash
What is the approval process for granting an exemption?