AccountMade

Traceable-Answer Reference  /  Governance, Risk and Compliance

GRC-04Policy Exception Process

Follow an approved governance exception process whenever a deviation from established policy occurs.

Every framework that asks this

Answer GRC-04 once and it typically satisfies the equivalent control elsewhere. Altitude and confidence vary — a domain-level anchor is a starting point to verify, not an audited equivalence.

FrameworkEquivalent control(s)Confidence
ISO 27001A.5.1medium
NIST CSF 2.0GV.RM-01, GV.PO-01, GV.OC-01, ID.RA-01 (domain-level)high
NIST 800-53PM-1, PM-9, RA-1, RA-3, CA-1 (domain-level)high
SIGArtificial Intelligence, Compliance Management, Enterprise Risk Management, Environmental, Social, Governance (ESG), Information Assurance (domain-level)medium

Full provenance and NIST 800-53 mappings: the framework crosswalk.

What the reviewer is really checking

The reviewer is establishing that security has an owner, a mandate, and a repeatable process — the difference between a program and good intentions. They want to see approved, dated policies that are reviewed on a schedule (typically at least annually), a named security function or leader with real authority, and a risk-assessment cadence that produces tracked, prioritized, and remediated findings. Underneath sits the buyer's structural concern: if security depends on one heroic engineer's memory, it disappears when that person is busy or leaves, and it cannot scale to protect the buyer's data over a multi-year relationship. Reviewers read GRC answers as the load-bearing floor for every other domain — if governance is weak, they discount your IAM, DSP, and IVS claims because there is no mechanism ensuring those controls are maintained. They are also checking that your framework claims are backed by governance, not just aspiration: an in-progress certification, a stale 2021 policy, or 'the CTO handles security' all signal that controls exist by luck rather than by design. The real question is: 'Who is accountable here, how do they know what their top risks are, and what happens to a risk once it is found?'

What a truthful, defensible answer contains

A defensible GRC answer describes governance you can evidence. It names the accountable owner or function for security (a role and its reporting line, not just a person), and states the mandate — who approves policy, who signs off on risk acceptance. It points to a policy set that is approved, dated, version-controlled, and on a review cycle, and it is honest about which policies exist versus which are drafts. It describes the risk-assessment process concretely: how often it runs, what it covers, how findings are scored, where they are tracked, and how remediation and residual-risk acceptance are recorded. For compliance and framework claims, it states current status precisely — certified with a date and scope, in-audit, or self-assessed — without inflating an in-progress effort into a completed one. A strong answer distinguishes what is fully operational from what is maturing, because a reviewer trusts a vendor who scopes its own maturity honestly far more than one claiming uniform excellence. Every governance claim should be one a reviewer could confirm by asking for the policy register, the risk log, or the audit report behind it. If security ownership is genuinely thin, the credible move is to describe the real structure and its compensating rigor, not to invent a function.

Make it traceable

Tie each governance claim to the artifact that proves it lives. A policy claim points to the policy register showing owner, approval date, and next-review date — not just the policy's existence. An ownership claim points to the org chart or charter naming the security function and its authority. A risk-cadence claim points to the risk register with dated entries, scores, and remediation status, plus the most recent assessment output. Compliance claims point to the certificate, attestation letter, or audit report with its scope and date. This is Promise–Proof at the governance layer: the sentence you write in the questionnaire and the register or report a reviewer inspects are the same fact, so 'reviewed annually' resolves to a review date a reviewer can read. When a policy is re-approved or a risk is closed, the answer should refresh from that record rather than asserting a cadence no log supports.

Answer patterns that hold up

  • Name the accountable security owner as a role and reporting line with its policy-approval and risk-acceptance mandate — not merely a person's name.
  • Reference a policy set by its register (owner, approval date, review cadence), being explicit about which policies are approved versus draft.
  • Describe the risk assessment as a cadence with tracking: frequency, scope, scoring, register location, and how remediation/acceptance is recorded.
  • State compliance/framework status precisely — certified (date + scope), in-audit, or self-assessed — without inflating in-progress work.
  • Separate what is fully operational from what is maturing rather than claiming uniform coverage.

Evidence that backs the answer

Policy register listing owner, approval date, and next-review date per policySecurity org chart or program charter defining the accountable function and authorityRisk register with dated, scored findings and remediation/acceptance statusMost recent risk-assessment report or outputSOC 2 report, ISO 27001 certificate, or equivalent attestation with scope and dateEvidence of leadership/management review of security (meeting minutes or sign-off)

Red flags reviewers catch

  • 'The CTO handles security' with no defined function, mandate, or backup.
  • Policies attached that carry a review date two or more years old, or none at all.
  • 'We follow ISO 27001 / SOC 2' with no certificate, report, or stated audit status.
  • A risk process described in the abstract with no register, cadence, or example finding.
  • Uniform 'yes' answers across every control with no acknowledgment of any gap or maturing area.

Other Governance, Risk and Compliance controls

FAQ

What is a buyer really asking with GRC-04?

The reviewer is establishing that security has an owner, a mandate, and a repeatable process — the difference between a program and good intentions. They want to see approved, dated policies that are reviewed on a schedule (typically at least annually), a named security function or leader with real authority, and a risk-assessment cadence that produces tracked, prioritized, and remediated findings. Underneath sits the buyer's structural concern: if security depends on one heroic engineer's memory, it disappears when that person is busy or leaves, and it cannot scale to protect the buyer's data over a multi-year relationship. Reviewers read GRC answers as the load-bearing floor for every other domain — if governance is weak, they discount your IAM, DSP, and IVS claims because there is no mechanism ensuring those controls are maintained. They are also checking that your framework claims are backed by governance, not just aspiration: an in-progress certification, a stale 2021 policy, or 'the CTO handles security' all signal that controls exist by luck rather than by design. The real question is: 'Who is accountable here, how do they know what their top risks are, and what happens to a risk once it is found?'

What does a defensible answer to GRC-04 need?

A defensible GRC answer describes governance you can evidence. It names the accountable owner or function for security (a role and its reporting line, not just a person), and states the mandate — who approves policy, who signs off on risk acceptance. It points to a policy set that is approved, dated, version-controlled, and on a review cycle, and it is honest about which policies exist versus which are drafts. It describes the risk-assessment process concretely: how often it runs, what it covers, how findings are scored, where they are tracked, and how remediation and residual-risk acceptance are recorded. For compliance and framework claims, it states current status precisely — certified with a date and scope, in-audit, or self-assessed — without inflating an in-progress effort into a completed one. A strong answer distinguishes what is fully operational from what is maturing, because a reviewer trusts a vendor who scopes its own maturity honestly far more than one claiming uniform excellence. Every governance claim should be one a reviewer could confirm by asking for the policy register, the risk log, or the audit report behind it. If security ownership is genuinely thin, the credible move is to describe the real structure and its compensating rigor, not to invent a function.

Which other frameworks does GRC-04 cover?

Answering GRC-04 typically covers ISO 27001 (A.5.1); NIST CSF 2.0 (GV.RM-01, GV.PO-01, GV.OC-01, ID.RA-01); NIST 800-53 (PM-1, PM-9, RA-1, RA-3, CA-1); SIG (Artificial Intelligence, Compliance Management, Enterprise Risk Management, Environmental, Social, Governance (ESG), Information Assurance). Confidence and altitude vary per mapping — see the equivalents table.

Answer every buyer from one governed source.