A compensating control is an alternative security measure used in place of a standard control when the latter is not feasible for technical, economic, or organizational reasons. It must address the same risk and provide comparable protection. In your ISMS, you document compensating controls in the Statement of Applicability (SoA) with a rationale explaining why the standard control is not applicable and how the alternative reduces the risk to an acceptable level. Auditors scrutinize whether compensating controls are truly equivalent. Review them regularly — technological developments may make the original standard control feasible after all.