Patch Exception and Risk Acceptance Log

Documents deferred or excluded security patches with business justification, accountable owner, and review date for audit trail and follow-up.

Exception Summary

• Exception title
  Short, descriptive name for this exception record.
• Exception type
• Request date
  Date the exception was identified or requested.
• Requested by
  Name or team requesting the exception.

Affected Asset and Patch Details

• Affected asset or system name
  Use the system name, hostname, application name, or asset tag.
• Asset identifier
  Optional internal asset ID, hostname, or CMDB reference. Collect only if needed for lookup.
• Patch or advisory reference
  Enter the patch ID, KB number, CVE, vendor advisory, or change reference.
• Severity

Business Justification and Risk

• Business justification
  Explain the operational, technical, or vendor reason the patch is deferred or excluded.
• Risk impact summary
  Summarize the potential impact if the vulnerability remains unpatched.
• Compensating controls
  Select the controls currently reducing exposure while the patch is deferred.
• Other compensating controls
  Show only if 'Other' is selected in compensating controls.

Ownership and Approval

• Business owner
  Person accountable for the risk acceptance decision.
• Technical owner
  Person responsible for implementing compensating controls and remediation planning.
• Approval status
• Approver name
  Required when the exception is approved.
• Approval date
  Date the exception was approved.

Review and Audit Trail

• Review date
  Date the exception must be reassessed or closed.
• Follow-up actions
  Document remediation milestones, closure criteria, or escalation steps.
• Supporting evidence
  Optional evidence such as vendor notice, change record, or risk memo.