Create an ISMS Exemption
ISMS Exemptions are entered to document and get approval for non compliance with an Audit, Risk, or Policy.
To create an Exemption:
- On the CSM Desktop Client or Browser Client toolbar, select New > New ISMS Exemption.
- Select the requester and exemption type.
- Depending on the exemption type you choose, a field to link the associated audit, policy, or risk assessment appears.
A tab for the association will also display in the form arrangement.
- Select the assigned team and owner.
The assigned team will drive the options available in the Assigned To drop-down list.
- Select a value in the Exemption Term in Months drop-down list and add details to the Current Use field.
- (Optional) Select the date approved and expiration date.
- Add details for the justification for the exemption in the Reason for Exemption field.
- (Optional) Select the device type.
Depending on the device type selection, there may be additional fields to complete (example: Asset, Device Name, Location).
- (Optional) Provide details in the Mitigation field.
- Select Save if you need to come back to the form later to submit it.
- When the Exemption form is complete, select the Next: Submitted link under Status.
While in the Submitted phase, the assigned team reviews the request and determines if more information is required.
- When the Exemption is ready for approval, select the Next: Approving link under Status.
An Approvals tab appears in the form arrangement.
- The Approver can vote to Approve, Deny, or Abstain, as well as provide comments. Add additional Approvers, if necessary. If there are multiple Approvers, each will need to provide approval before the Exemption can move to the next step.
The Approver for the Exemption is determined by the Exemption Type:
Exemption Type Approver Risk Risk Owner Audit Lead Auditor Policy Business Owner
- Once the Exemption is approved, the status changes to Active.
If the Exemption is approved and the status is not Active, select the green refresh button.
- Close the Exemption when it is no longer applicable.