The purpose or security objective of a control may be achieved by different means than those stated in PILAR. In PCI-DSS standard, there is a notion of “compensating controls”, described as

“Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of compensating control.”

The core concept is that the purpose is achieved by alternative means.

In PILAR, the user has the option to disconnect a control from its children. Right click on the control for which you plan a compensating approach, and describe it:

The selected control is marked as “compensated” and it can be selected and evaluated independently of its children.

Please note that the risk analysis, using PILAR safeguards still applies, to evaluate the residual risk achieved with the actual protection system.