Your controls are the safeguards that ensure your data is protected

How do you know your controls meet the GDPR’s TOMs (technical and organisational measures) requirements?

The law requires organisations to consider the nature, scope and context of the processing and the available technology and the risks to individuals.

Our skilled and experienced auditors will review your technical and organisational measures to ensure that your controls are appropriate.

Discover more about our technical and organisational measures audit below 
Technical and organisational measures audit

How a Technical and Organisational Measures Audit works

Focus 1:

Your auditor will evaluate the effectiveness of your organisation’s technical and organisational measures (TOMs), focusing on the following:

Technical measures being applied


Policies, processes and procedures



Staff training programme/s


The application of privacy by design

Focus 2:

Your auditor will also assess your technical and organisational measures against our state of the art assessment and evaluation framework derived from relevant international standards:

ISO 27001, the standard for information security management systems



ISO 27701, the standard for privacy information management systems


Cyber Essentials

What to expect

Your auditor will typically take three days to complete the audit. This will be a combination of interviews with key individuals, documentation reviews and sample checking.

You will receive a detailed audit report giving an assurance rating for each area and an executive summary that can be provided to your board. We aim to provide written reports within ten working days of the audit commencing.

The report will explain areas of weakness and most significant risk and identify areas of good practice. Prioritised recommendations will be highlighted to help you develop an action plan to address weaknesses and risks.

Our data protection and information security consultants can work with you to address any areas of non-compliance that we identify. Our audit and consultancy teams are kept strictly independent to allow DQM GRC to give our customers the best service.

Bespoke solutions

Make it your own

We can tailor your audit to your specific needs and requirements. Examples include:

  • Auditing against specific standards relevant to specific types of activity, such as NIST or ENISA standards for Cloud computing or the Internet of Things;
  • Auditing compliance with your existing policies and standards;
  • Auditing compliance with technical regulator guidance, such as CNIL or European Data Protection Board guidance; and
  • ​Any other specific audit requirements – just ask!

Contact us