Policy Exception Log Guide

Track policy and control exceptions with approvers, expiry, and compensating controls.

policy exception log template preview (COR-015)
.xlsx COR-015

Policy Exception Log

Track policy and control exceptions with approvers, expiry, and compensating controls.

Get SOC 2 Phase 3 Audit & Evidence Bundle
How to Fill Out This Policy Exception Log

Policy exception log template — Operational log for exceptions — pair with COR-014 risk acceptance forms for material gaps.

Recommended Owner: Security Lead | Approvers per row

What this file is for

Document purpose

Operational log of policy/control exceptions with approval and expiry (CC4.2).

In your program: Material exceptions also need COR-014; link COR-014 Ref column when risk is accepted.

Before you start

Getting Started

  • Enable Editing; read the Instructions sheet first for tab order and version metadata.
  • Use dropdowns in validated columns; delete gray sample rows before auditor samples.
  • Check Dashboard after updates — formulas flag gaps and acceptance rates.

Document tour

Fill out the file section by section

Work through the sections below in order. Each block matches a heading or tab in the downloaded COR-015 file.

Instructions
  • Set workbook owner and audit period on Instructions; review related COR-001 exception process.
  • After editing Instructions, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
Exception Log
  • Exception ID stable (EXC-###); Policy/Doc = COR or SOC ID being excepted.
  • Severity and Status use dropdowns; End Date required for every Open exception.
  • COR-014 Ref mandatory when treatment is Accept; Evidence Link = ticket or signed form.
  • Review Freq drives steering committee (SOC-017) agenda — monthly for Critical severity.

Exception ID

  • Assign stable Exception ID values — never reuse an ID for a different record in the audit period.
  • Cross-reference IDs in related toolkit docs (SOC-021, COR-014, HR-001, etc.).

Policy / Doc

  • Fill Policy / Doc for every in-scope row on Exception Log — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Type

  • Fill Type for every in-scope row on Exception Log — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

TSC Ref

  • Fill TSC Ref for every in-scope row on Exception Log — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Description

  • Fill Description for every in-scope row on Exception Log — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Severity

  • Use dropdown values for Severity — align definitions with COR-003, COR-008, or COR-009.
  • Inconsistent scoring between this file and meeting minutes (SOC-017/SOC-019) triggers auditor questions.

Requestor

  • Fill Requestor for every in-scope row on Exception Log — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Approver

  • Name a person (not a team inbox) in Approver — auditors interview control owners.
  • Must match COR-005 org chart or SOC-024 control owner assignments where applicable.

Start Date

  • Use consistent Start Date format (YYYY-MM-DD) aligned with HRIS, IdP, or LMS exports.
  • Dates must match supporting evidence — auditors compare log timestamps to HR records.

End Date

  • Use consistent End Date format (YYYY-MM-DD) aligned with HRIS, IdP, or LMS exports.
  • Dates must match supporting evidence — auditors compare log timestamps to HR records.

Status

  • Select Status from the dropdown — free text breaks Dashboard formulas and heatmaps.
  • Update through the lifecycle (Not Started → In Progress → Complete/Closed) before sign-off.

Review Freq

  • Use consistent Review Freq format (YYYY-MM-DD) aligned with HRIS, IdP, or LMS exports.
  • Dates must match supporting evidence — auditors compare log timestamps to HR records.

COR-014 Ref

  • Fill COR-014 Ref for every in-scope row on Exception Log — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Evidence Link

  • Fill Evidence Link with a URL, ticket, or export path auditors can open — not a local-only path.
  • Re-verify links before fieldwork; broken evidence links are a common audit finding.

Quality check

Before You Finalize

  • No Open rows past End Date without renewal row.
  • Dashboard shows zero Missing COR-014 Ref for Accepted-risk exceptions.

Evidence

Where to Store It

  • Store the completed file in your compliance evidence folder (signed PDF for policies).
  • Register the document in COR-013 with version, owner, and next review date.
  • Link the file from your evidence index or SOC-005 project plan when you use Phase 3 trackers.

Next Steps

After customizing Policy Exception Log:

  1. 1Complete the file: Finish every section or tab in COR-015.
  2. 2Register: Add version and owner to COR-013.
  3. 3Operationalize: Train owners listed in the document.
  4. 4Evidence: Keep exports auditors can sample during fieldwork.
Get SOC 2 Phase 3 Audit & Evidence Bundle See what’s included