On this page💼 9 Policy framework - Exemption handling ID: /frameworks/apra-cpg-234/09 Description​ Empty... Similar​ Internal ID: dec-b-79ceffa2 Sub Sections​ SectionSub SectionsInternal RulesPoliciesFlagsCompliance💼 23 An APRA-regulated entity could consider implementing processes that ensure compliance with its information security policy framework and regulatory requirements. This could include an exemption policy defining registration, authorisation and duration requirements. Exemptions are typically administered using a register detailing nature, rationale and expiry date. APRA envisages that an entity would review and assess the adequacy of compensating controls both initially and on an ongoing basisno data💼 24 Information assets that existed prior to an APRA-regulated entity’s current information security policy framework might not comply with the current framework’s requirements. In such instances, the regulated entity would typically raise an exemption and formulate a strategy for either replacing affected information assets or implementing appropriate compensating controls.no data