Deviations and exceptions in the Information security policy

Answer:

First of all, the recommendations from ISO 27002 are not mandatory, so you do not have to write everything that is written in this standard; on the other hand ISO 27001 does not require you to define deviations and exceptions. See also this article: ISO 27001 vs ISO 27002: https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

ISO 27002 is not quite clear on what does it mean by deviations and exceptions; generally, deviations could mean that you have to set a process of responding to nonconformities that will occur - e.g. what to do if someone is not complying with policies and procedures. Exceptions could mean defining the situations in which the regular rules are not applicable - e.g. in case of a disruptive incident (for instance, large earthquake), the physical acces s controls will not be applied.

See also this article: What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/

This online course will help you learn about writing information security policies and procedures: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/