ISMS Exemptions are entered to document and get approval for non
compliance with an Audit, Risk, or Policy.
- On the
CSM Desktop Client
or
Browser Client
toolbar, select
.
- Select the requester and exemption type.
- Depending on the exemption type you choose, a field to link the
associated audit, policy, or risk assessment appears.
A tab for the association will also display in the form
arrangement.
- Select the assigned team and owner.
The assigned team will drive the options available in the
Assigned To drop-down list.
- Select a value in the
Exemption Term in Months drop-down list and
add details to the
Current Use field.
- (Optional) Select the date approved and expiration date.
- Add details for the justification for the exemption in the
Reason for Exemption field.
- (Optional) Select the device type.
Depending on the device type selection, there may be
additional fields to complete (example:
Asset,
Device Name,
Location).
- (Optional) Provide details in the
Mitigation field.
- Select
Save if you need to come back to the form
later to submit it.
- When the Exemption form is complete, select the
Next: Submitted link under
Status.
While in the Submitted phase, the assigned team reviews the
request and determines if more information is required.
- When the Exemption is ready for approval, select the
Next: Approving link under
Status.
An
Approvals tab appears in the form arrangement.
- The Approver can vote to Approve, Deny, or Abstain, as well as
provide comments. Add additional Approvers, if necessary. If there are multiple
Approvers, each will need to provide approval before the Exemption can move to
the next step.
The Approver for the Exemption is determined by the
Exemption Type:
| Risk
| Risk Owner
|
| Audit
| Lead Auditor
|
| Policy
| Business Owner
|
- Once the Exemption is approved, the status changes to Active.
If the Exemption is approved and the status is not Active,
select the green refresh button.
- Close the Exemption when it is no longer applicable.