Exception management is the process for documenting, reviewing, approving, and tracking departures from a standard security requirement or baseline.
Exception management is the process for documenting, reviewing, approving, and tracking departures from a standard security requirement or baseline. In plain language, it is how the organization handles the cases where a system cannot follow the normal rule exactly as written.
Exception management matters because environments are messy. Some systems cannot immediately meet every standard, but unmanaged exceptions create invisible risk if no one records the reason, owner, and expiration or review plan.
It also matters because exceptions can accumulate quietly. A disciplined process keeps temporary deviations from becoming permanent, forgotten exposure.
Exception management appears in architecture review, audit remediation, cloud and endpoint baselines, legacy systems, and control gaps that need interim treatment. Teams connect it to Risk Register, Compensating Control, Residual Risk, and Security Baseline.
Security teams use exception management to keep deviations visible, accountable, and tied to real follow-up rather than informal agreement.
A legacy application cannot yet adopt the standard authentication requirement used everywhere else. The organization records an exception, notes the business reason, requires compensating controls, assigns an owner, and schedules a later review so the gap is not forgotten.
Exception management is not the same as ignoring a problem. A proper exception process should make the risk more visible, not less.
It is also different from Compensating Control. Exception management governs the process around the deviation; compensating controls are the alternative safeguards used within that process.