Your controls are the safeguards that ensure your data is protected

TOMs (technical and organisational measures) refer to the security measures, policies and procedures implemented by an organisation to safeguard personal data. Under the GDPR (General Data Protection Regulation), there are specific requirements for these controls, but how do you know your controls meet the GDPR’s TOMs requirements?

The law requires organisations to consider the nature, scope and context of the processing and the available technology, and the risks to individuals.

Our TOMs Audit service offers a comprehensive assessment of your technical and organisational measures. We evaluate your data protection controls, security protocols, access management, data storage practices and incident response procedures.

Our auditors work closely with your organisation to identify any vulnerabilities or gaps in your existing measures and provide recommendations to improve your data protection framework. We help you align your practices with industry best practices and relevant regulatory requirements, such as the GDPR and other applicable data protection laws.

Organisations that engage our TOMs Audit can gain valuable insights into their data protection posture and improve their overall security and compliance. By addressing any identified weaknesses or deficiencies, organisations can enhance data security, protect sensitive information and demonstrate their commitment to data protection.

Discover more about our TOMs Audit below
Technical and organisational measures audit

How a Technical and Organisational Measures Audit works

Focus 1:

Your auditor will evaluate the effectiveness of your organisation’s TOMs, focusing on the following:

Technical measures being applied


Policies, processes and procedures



Staff training programme(s)


The application of privacy by design

Focus 2:

Your auditor will also assess your TOMs against our state-of-the-art assessment and evaluation framework derived from relevant international standards and frameworks:

ISO 27001, the standard for information security management systems.



ISO 27701, the standard for privacy information management systems.


Cyber Essentials.

What to expect

Your auditor will typically take three days to complete the audit. This will be a combination of interviews with key individuals, documentation reviews and sample checking.

You will receive a detailed audit report giving an assurance rating for each area and an executive summary that can be provided to your board. We aim to provide written reports within ten working days of the audit commencing.

The report will explain areas of weakness and most significant risk, and identify areas of good practice. Prioritised recommendations will be highlighted to help you develop an action plan to address weaknesses and risks.

Our data protection and information security consultants can work with you to address any areas of non-compliance that we identify. Our audit and consultancy teams are kept strictly independent to allow DQM GRC to give our customers the best service.

Bespoke solutions

Make it your own

We can tailor your audit to your specific needs and requirements. Examples include:

  • Auditing against specific standards relevant to specific types of activity, such as NIST or ENISA for Cloud computing or the Internet of Things;
  • Auditing compliance with your existing policies and standards;
  • Auditing compliance with technical regulator guidance, such as from CNIL or the European Data Protection Board; and
  • Any other specific audit requirements – just ask!

Contact us