FYI - in some organisations, one can file for a formal exception to the process. Theoretically, as long as the process for gaining exceptions is documented, and the formal exception itself is in writing (even if that is an email, if allowed by the process), you can get the exception and still claim full ISO9000 compliance. Back to reality, and we find that politics can easily despoil this utopia of ISO9000 compliance. (Well, as utopic as ISO9000 can be ;->)
Short version: I'd look for a formal exception if possible. Of course, you may have already pursued this course, in which case I point it out solely for posterity in case someone else happens upon this thread in the same situation.
(PS - The last time I saw "security" and "IIS" in the same sentence was in a MS advertisement, so I already guessed the OP was incorrect in their guess ;-})