Your controls are the safeguards that ensure your data is protected

The GDPR requires organisations to implement “appropriate” technical and organisational measures - but how do you know your controls are "appropriate"?

The law requires organisations to consider the nature, scope and context of the processing as well as the state of the art and the risks to individuals.

Our skilled and experienced auditors will review your technical and organisational measures against our proprietary audit framework derived from relevant international standards to assure you that your controls are appropriate

Discover more about our technical and organisational measures audit below 
Technical and organisational measures audit

How a Technical and Organisational Measures Audit works

Focus 1:

Your auditor will assess your organisation’s technical and organisational measures against data protection and information security practices focusing on the following:

Technical measures being applied


Policies, processes and procedures



Staff training programme/s


The application of privacy by design

Focus 2:

Your auditor will also assess your technical and organisational measures against our proprietary assessment framework derived from relevant international standards:

ISO 27001, the standard for information security management systems



ISO 27701, the standard for privacy information management systems


Cyber Essentials

What to expect

Your auditor will typically take three days to complete the audit. This will be a combination of interviews with key individuals, reviews of documentation and sample checking.

You will receive a detailed audit report providing an assurance rating for each area, in addition to an executive summary that can be provided to your board. We aim to provide written reports to you within 10 working days of the audit commencing.

The report will explain areas of weakness and greatest risk, and identify areas of good practice. Prioritised recommendations will be highlighted to help you develop an action plan to address weaknesses and risks.

Our data protection and information security consultants can work with you to address any areas of non-compliance that we identify. We maintain strict Chinese walls between our audit and consultancy teams.

Bespoke solutions

Make it your own

We can tailor your technical and organisational measure audit to your specific needs and requirements. Examples include:

  • Auditing against specific standards relevant to particular types of activity, such as NIST or ENISA standards for cloud computing or Internet of Things
  • Auditing compliance with your existing policies and standards
  • Auditing compliance with technical regulator guidance, such as CNIL or European Data Protection Board guidance
  • ​Any other specific audit requirements – just ask!

contact us