History
- Priority
- must
- Nov 2018
- Removed
- Removed due to a change from a compliance culture to a risk management culture.
- 2017
- System owners seeking approval for non-compliance with any control must document:• the justification for non-compliance• a security risk assessment• the alternative mitigation measures to be implemented, if any.
- 2015
- System owners seeking approval for non–compliance with any control must document:• the justification for non–compliance• a security risk assessment• the alternative mitigation measures to be implemented, if any.
- 2010
- System owners seeking a dispensation for non-compliance with any control must document:••••the reasons for non-compliancethe alternative mitigation measures to be implementedan assessment of the residual security risksa date by which to review the decision.