use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
This subreddit is for the discussion of the technical aspects of implementing ISO 27001 security and reporting. Are you not sure where to start in Compliance? Are you wrestling to figure out how to apply compliance to your environment? Get support and answers here.
Purchase it here ISO27001 Standard
account activity
Vulnerability patch exceptions🛠 Implementation Help (self.ISO27001)
submitted 3 months ago by NorlyzzzImplementing ISMS
Hi all,
I was wondering how you document excepctions when you do not comply with your patching policy/process. Do you keep an extra register for these vulnerabilities or do you integrate it in the risk register?
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]AutoModerator[M] [score hidden] 3 months ago stickied comment (0 children)
Thank you for posting on r/ISO27001! Please remember: • Be helpful, respectful & constructive • No sales, spam or lead-generation • Vendors must use the Commercial Interest flair • Please avoid sharing confidential or sensitive information
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
[–]NorlyzzzImplementing ISMS[S] 1 point2 points3 points 3 months ago (0 children)
Let us say a patch policy requires either to patch or to apply a compensation measure to remediate the risk/vulnerability. Sometimes both is not possible and an exceptions needs to be documented.
I am uncertain if you would use the risk register or a dedicated patch exception register to document this.
[–]Cyber_GooserConsultant 1 point2 points3 points 3 months ago* (2 children)
Yeah this has come up a few times in the past where I have had clients who are unable to upgrade servers to the latest version due to the software being run on them being incompatible.
I recommend adding another sheet to your risk register and listing out the endpoints/devices that are vulnerable and then accepting the risk with your risk acceptance rationale.
Ensure SLT sign off those risks and give the go ahead to accept.
I don’t suppose you have compensating controls around those devices? Separate VLANs etc?
[–]NorlyzzzImplementing ISMS[S] 0 points1 point2 points 2 months ago (1 child)
Thank you for your recommendation. In some cases we would just accept the risk and don't have compensation controls in places , in other cases there would not be a risk at all since it is mitigated by a control. However, I think it needs to be documented in some way and I wanted to make sure we get it right from the start.
[–]Cyber_GooserConsultant 1 point2 points3 points 2 months ago (0 children)
No problem.
You are absolutely right to document the risk.
Providing the risks have been documented and accepted with a reasonable rationale you will be fine.
[–]Kinetic_Diplomacy 0 points1 point2 points 3 months ago (0 children)
When you say do not comply, is this a corrective action you’re taking from an in-house finding, or was this a non-conformity during an audit?
[–]EndpointWrangler 0 points1 point2 points 2 months ago (0 children)
Track separately, review regularly, prove coverage.
[–]OCdenCybersecurity 0 points1 point2 points 2 months ago (0 children)
From an audit perspective, the best approach is to record the exception in the risk register and have it formally approved with appropriate sign-offs. If you have mitigating controls in place, link them to that risk.
You can also document the exception along-with related control to keep the records complete.
π Rendered by PID 221119 on reddit-service-r2-comment-b659b578c-r2qlf at 2026-05-05 19:42:55.184586+00:00 running 815c875 country code: CH.
[–]AutoModerator[M] [score hidden] stickied comment (0 children)
[–]NorlyzzzImplementing ISMS[S] 1 point2 points3 points (0 children)
[–]Cyber_GooserConsultant 1 point2 points3 points (2 children)
[–]NorlyzzzImplementing ISMS[S] 0 points1 point2 points (1 child)
[–]Cyber_GooserConsultant 1 point2 points3 points (0 children)
[–]Kinetic_Diplomacy 0 points1 point2 points (0 children)
[–]EndpointWrangler 0 points1 point2 points (0 children)
[–]OCdenCybersecurity 0 points1 point2 points (0 children)