In order to be considered a compensating control, which of the following must exist:

For a control to be deemed a compensating control, there must be a legitimate technical constraint or documented business constraint. This means that the organization cannot implement a particular security measure due to specific limitations, such as technology that cannot support the control or business processes that prevent its implementation.

In such cases, compensating controls are intended to offer an alternative approach to mitigate risk effectively while still achieving the intent and rigor of the original requirement. The existence of these constraints justifies the need for alternate methods of compliance that demonstrate a similar level of security.

Without a legitimate constraint, a compensating control cannot be justified as necessary or appropriate. Thus, having a documented business or technical constraint is critical, as it supports the rationale for selecting and implementing a different control measure.