For Vivek Madan, CISSP, CCSP, what began as a focused cybersecurity initiative became swamped with overlapping standards and duplicated controls. He explains how his team overcame this to turn compliance into a business enabler.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
One of my earliest challenges in my current role was managing the growing flood of compliance demands. A customer asked for SOC 2. Another required HIPAA. Government clients wanted ISMAP in Japan, ACN in Italy, or DISP in Australia. What began as a focused cybersecurity initiative quickly turned into an avalanche of overlapping standards, duplicated controls and teams stretched thin.
I’ve seen how easily compliance can spiral into chaos – both inside my own organization and when working with customers. That experience shaped my belief that, when structured well, compliance isn’t just bureaucracy but rather how organizations build trust and resilience. The model we’ve developed to help us turn compliance from a burden into a business enabler is what I call the 50-35-15 rule.
Order to Chaos
To bring order to the chaos, we devised and employ a straightforward rule that we call the 50-35-15 rule. This simple rule divides controls into three categories: organizational, team-level, and product-specific:
- Organizational Controls: These are organization-wide measures that remain consistent across all teams and products. Think of policies, endpoint security controls, encryption standards, or onboarding/offboarding processes. Once validated, these controls can be reused across multiple frameworks, saving enormous time and effort.
- Team-Level Controls: These sit at the department or functional level. They use consistent language but require execution across multiple teams, such as access reviews, data-at-rest encryption, or disaster recovery drills. By standardizing how these controls are defined and tested, we promoted accountability and consistency without reinventing the wheel every time.
- Product-Specific Controls: This represents the smallest portion of controls, but they are often the most resource-intensive as they are tailored to individual products or services. These could include data residency requirements or localized security features demanded by a particular regulator or customer. Although they require customization, these controls ensure precise alignment with specific framework or market needs.
As the name of our rule suggests, we allocate resources to these three categories in the proportions 50%, 35% and 15% respectively. By classifying controls and applying resources this way, organizations can focus on what scales, reduce duplication and invest energy where customization truly matters.
Lessons Learned During Development
What surprised me most was how much we could achieve through reusability. For example, once we gained approval for our baseline encryption policies covering areas like key management, data-at-rest protections and TLS enforcement, we didn’t have to reinvent them for each standard. The same set of policies directly satisfied control requirements across different frameworks, including SOC 2, HIPAA, ISO 27001, and NIST 800-53. Instead of duplicating effort, we were able to ‘plug in’ the approved controls as evidence, reducing overlap, speeding up audits and freeing our team to focus on framework-specific nuances.
Where we stumbled early on was relying too heavily on spreadsheets that ‘mapped’ frameworks on paper. While these looked impressive, they didn’t translate into action. One immediate lesson to share is that, unless controls are operationalized with tasks, owners and evidence repositories, the program will collapse under its own weight.
While product-specific controls were the hardest to scale, the 50-35-15 model succeeded in ensuring that they got the right level of attention without distracting teams from foundational work.
Operationalizing the Rule
Any framework only works if it’s brought to life. In the case of this rule, it was quickly apparent that this means translating controls into defined tasks with clear owners across the three layers (organizational, team and product).
It was at the organizational level (50%) that we saw the biggest efficiency gains. We implemented policies, background checks, user training and endpoint standards once, then reused them across audits; because these controls were global, they didn’t need new tasks or owners each time. By centralizing them we eliminated duplication, as a single policy could serve dozens of frameworks.
At the team level (35%), our work became more hands-on. Controls such as quarterly access reviews or encryption of data at rest were consistent, but every department still had to execute them. Initially, each team defined “evidence” differently, and this created confusion; the fix was to build standard templates. Now, whether DevOps or Engineering runs a review, the language, format and output all line up. This shift alone cut repeat auditor questions and reduced duplication across teams.
At the product level (15%), customization is unavoidable. For example, when launching services in Japan, ISMAP required new evidence workflows for data residency. These couldn’t be reused – but, because the other 85% of controls were already standardized, teams could focus fully on these critical requirements. Assigning new owners when needed kept lines of accountability clear.
Why it Matters
In retrospect, what made our model successful wasn’t just the percentages, but the alignment of each type of control with the right level of action. Centralized policies cut duplication, standardized tasks improved consistency and isolating product-specific work ensured teams focused on what truly mattered.
This is important because compliance isn’t about passing audits but about earning trust. Just as the FDA once restored public trust in food safety, today’s compliance frameworks are about proving security, integrity and accountability in the digital era.
We proved that scaling compliance doesn’t have to mean drowning in checklists. By applying the 50-35-15 rule, operationalizing it with clear ownership and embracing automation where possible, organizations can move from reactive compliance to proactive risk alignment. We turned compliance chaos into clarity and how any organization can transform compliance into a true competitive advantage.
Vivek Madan, CISSP, CCSP, has 16+ years of experience in cybersecurity, compliance, governance, AI risk and cloud security. He has held management and leadership roles, with responsibility for building ISMS, leading audits, vendor risk and compliance automation. His cybersecurity work spans global compliance frameworks, AI governance, risk strategy and digital trust.
