Compensating Controls
What is Compensating Controls?
Compensating ControlsAlternative safeguards that provide an equivalent level of protection when a primary or required control cannot be implemented.
Compensating controls are introduced when an organization cannot meet a specific security requirement with the prescribed control, but achieves the same risk-reduction outcome through a different mechanism. They are explicitly recognized in frameworks such as PCI DSS, ISO/IEC 27001 and NIST, and must be documented, risk-assessed and periodically reviewed. Common examples include strict network segmentation around an unpatchable legacy system or enhanced monitoring where multi-factor authentication is not yet feasible. Effective compensating controls are auditable, demonstrably equivalent to the original requirement, and time-bound while the underlying gap is remediated.
● Examples
- 01
Wrapping a legacy industrial controller in a dedicated VLAN with strict ACLs because firmware patching is impossible.
- 02
Using enhanced log review for a database that does not support native encryption-at-rest.
● Frequently asked questions
What is Compensating Controls?
Alternative safeguards that provide an equivalent level of protection when a primary or required control cannot be implemented. It belongs to the Defense & Operations category of cybersecurity.
What does Compensating Controls mean?
Alternative safeguards that provide an equivalent level of protection when a primary or required control cannot be implemented.
How do you defend against Compensating Controls?
Defences for Compensating Controls typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Compensating Controls?
Common alternative names include: Compensating safeguards, Alternate controls.