Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 67

In common use, we talk about compensating for something as a way to imply that the original would have been better, but for whatever reason, we are settling for less. You compensate for the absence of a key team member by letting others substitute for them, knowing that your team just won't be as strong or the results as good. That's not what compensating means when talking about security and risk controls!

For a control to be a compensating control, there is no additional residual risk just because you've replaced the originally required control approach with something different. And if there is a residual risk, then your compensating control is not the right choice.