Compensating Control
A compensating control provides alternative protection when a primary control can’t be used.
Updated: 2026-03-06
Definition
When a required security control is not feasible (legacy systems, constraints), compensating controls reduce risk in other ways.
Examples: stronger monitoring, segmentation, and stricter access controls.
Key points
- Alternative control to reduce risk
- Common in compliance contexts
- Should be documented and monitored
Common mistakes
- Calling weak controls compensating controls without measuring risk reduction.
- No documentation/audit trail for why it’s needed.
Related exams
Related terms
Want to practice this in exam-style questions?
Use the mini tests on each exam page, then continue in the app for offline packs and detailed explanations.
Go to exams