Question 12
Main Page
During a third-party risk audit, you notice compensating controls were used instead of the original recommended control. What makes this acceptable?
A. It is documented in the third-party’s annual report
B. It was approved by the project manager
C. It meets the intent and rigor of the original control
D. It reduces cost compared to the original control
Answer: C. It meets the intent and rigor of the original control
Compensating controls are only valid if they provide equivalent protection in scope and strength to the original.