Which statement is true regarding the use of compensating controls?

The rationale for choosing that statement as true lies in the purpose and function of compensating controls within the framework of security compliance, particularly PCI DSS. Compensating controls are alternative measures that organizations implement to meet the requirements of primary controls when those are not feasible or practical.

It is essential for these compensating controls to be assessed, maintained, and effectively managed after their implementation. This ensures that they remain functional and continue to mitigate risks adequately over time. Simply having such controls in place without proper ongoing assessments would undermine their effectiveness and could expose the organization to potential vulnerabilities.

The other options do not accurately reflect the role and importance of compensating controls within a security compliance program. For example, stating that they are optional implies a lack of necessity for assessment or oversight, which contradicts the fundamental principle of maintaining security efficacy. While it's true that compensating controls provide alternatives, they are not a substitute that eliminates the need for primary controls entirely, as indicated in another option. Lastly, merely documenting controls without implementation would serve little purpose in a risk mitigation strategy, rendering the system vulnerable.