Feature - Mitigation treatment: add and/or for two or more treatment options

It would be great if I can configure at least 1 Internal Controls or 1 Security Policy must be in place to consider a risk as treated. By adding the and/or feature everybody can choose it’s own best-practice.

you mean 1 as a condition based on a number ? because at least one could be mapped to “mandatory” on those fields.

I hadn’t thought of it that way :wink: but I meant that at least a Internal Control or Security Policy must be in place.