Steps taken by an organization to comply with legal requirements without implementing any security measures.

Regular procedures that reduce the likelihood of a vulnerability being exploited without considering the existing regulatory standards.

Alternative security measures implemented when an organization cannot meet a standard security control due to specific constraints, and still needs to maintain required security levels.

The documentation required to prove an organization is following standardized compliance requirements.