We have a small number of risks which are mitigated only by policy and procedure.
When “mitigate” is selected as the Risk Treatment method the Compensating Controls field becomes mandatory.
This means in order to successfully mitigate the risk (as Eramba sees it) I must make certain policies and procedures both Security Policies and Security Services.
Is this normal practice in these circumstances or am I missing something?