Performing of information security measures is one of mandatory measures for all of enterprises, incl. Japanese government. Those measures have been designed from historical security incidents. On the other hand, those cannot cover unexpected incidents and new requirements. Therefore, some of enterprises have performed "exceptional rule for exceptional case". Nowadays, scope of escape from rigid measure might be dependent on individual organizational matters. In addition, it is unclear that those rules have been written based on proper recognition on security risk under unexpected situation. For exceptional rules, it is required to clearly judge the allowable range for deviation from policy and to formulate it together with periodic review of policy. This study surveys and analyzes present situation of "exceptional rules" and application of the rules, and the benefit from the viewpoint of organizational governance.