A compensating control is an alternative safeguard used to reduce risk when the preferred or standard control cannot be implemented directly. It matters because real environments often have legacy, cost, or operational constraints.
What is a Compensating Control?
A compensating control provides risk reduction through a different mechanism than the original required control. It is not just a workaround; it should meaningfully address the same security concern in a defensible way.
What Compensating Controls Commonly Address
Common scenarios include legacy systems, unsupported platforms, temporary architecture limits, delayed modernization, and compliance cases where the default requirement is not technically feasible.
Compensating Control vs. Exception
A compensating control reduces risk through an alternate measure. An exception may simply acknowledge the risk without adding equivalent protection.
Frequently Asked Questions
Why are compensating controls used?
Because organizations often need practical risk reduction when the ideal control is unavailable or delayed.
Are compensating controls permanent?
Sometimes, but many should be treated as interim measures until stronger primary controls become feasible.
Related Cybersecurity Terms
