Compensating controls are alternative safeguards put in place when an organization cannot implement a prescribed security control. Industry guidance such as NIST SP 800-53 and PCI DSS Appendix B states that these alternatives must provide equivalent or comparable protection and meet the intent and rigor of the original requirement. They are not inherently less secure, nor are they limited to legacy systems or intended to be deployed in addition to the original control; they replace it when necessary while still adequately mitigating the risk.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are compensating controls?
Open an interactive chat with Bash
How do compensating controls differ from original security controls?
Open an interactive chat with Bash
Can compensating controls be more effective than original controls?