Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

Controls & Technical and Organizational Measures (TOMs)

The Controls & TOMs screen is the central register where Data Protection Officers, compliance managers, and risk managers document, monitor, and review every technical and organisational measure their organisation has put in place to protect personal data — giving auditors and regulators a single, evidence-backed source of truth for GDPR Article 32 compliance.

The Controls & TOMs module is where your organisation keeps its complete inventory of data protection safeguards. A TOM (Technical and Organisational Measure) can be anything from AES-256 encryption on a customer database to a mandatory staff training programme on data handling. Under GDPR Article 32 — and equivalent privacy regulations — you must be able to demonstrate not only that appropriate measures exist, but that they are actively maintained and periodically reviewed. This screen is where that evidence lives. DPOs and compliance managers typically build this register during an initial data-mapping exercise; risk managers and IT administrators return to it whenever assets, risks, or processing activities change; and auditors rely on it to verify control coverage before external assessments.

How to open it

Navigate to Controls in the left sidebar, then click Controls & TOMs. The module opens at /toms.

You need at least the read permission for Controls & TOMs to see the menu entry at all. Users who can only view records assigned to them will see the same screen but with a narrower set of records. Users without any read permission are redirected to an access-denied page and the menu entry is hidden entirely.

What you see

The screen opens on a full-width list view. Across the top of the list card you will find a row of status filter tabsAll, Active, Draft, Inactive, and Review — that let you narrow the list instantly without typing a search query. To the right of those tabs sit the Create button and, if your permissions allow it, small JSON and XLSX export buttons.

Below that, the main table lists every TOM in the system with columns for Name, Type, Domain, Standard, and Maturity. You can sort by Name. Hovering over any row reveals a three-dot action menu on the right edge of that row.

When you click a row, the detail view opens. The detail view is split into two areas: a narrow left-side Element Menu listing all the tabs available for this TOM, and a wide main content area on the right. A sticky bar at the top of the main area always shows you the TOM's responsible person and current status, no matter how far down the page you scroll.

Working with this screen

Creating a new TOM for the first time

When you are ready to register a new control — say, an encryption measure you have just implemented — go to the TOMs index and click Create. A small dropdown opens; select Create TOM. The creation form loads.

At the top of the form you can immediately set the Status (for example, Active if the measure is already in place, or Draft if you are still documenting it) and assign a Responsible Person — the colleague accountable for keeping this control current.

Work through the fields below. The only required field is Name, but filling in as many fields as possible will make the register far more useful for auditing and reporting:

  • Give the TOM a clear, descriptive name such as "Encryption at rest – Customer database".
  • Choose Type — either Technical Measure or Organisational Measure — to help with filtering and reporting.
  • Select a Domain such as Confidentiality, Integrity, or Availability to place the control in the right security category.
  • Pick the Standard it aligns with (ISO 27001, NIST, SOC 2, etc.) so auditors can map it to their framework.
  • Add one or more Classification tags (such as "Encryption" or "Access Control"). If a tag does not yet exist, just type it and press Enter to create it on the fly — it will then be available on all future TOMs.
  • Write a detailed Description explaining what the measure does and how it is implemented. This becomes your primary evidence text.

When you are satisfied, click Save at the top of the form. DPMS creates the TOM, immediately updates the TOM selection lists used in the Asset Register, Risk Scenarios, and every other module that links to controls, and drops you into the new TOM's detail view on the General tab.

Updating an existing TOM's details

Open the TOM from the list by clicking its row. On the General tab, you will see the TOM's fields displayed in a clean two-column read-only grid. To make changes, click the Edit button in the top-right corner of that card. The edit form opens with the same fields as the creation form; change what you need and click Save.

For a quick fix — for example, correcting a typo in a long description — you do not need to go through the full edit form. If you have edit rights, simply click directly on the description text in the General tab. It switches into a rich-text inline editor. Make your change and save it. The update is applied immediately without leaving the page.

To change the responsible person or status, use the sticky header bar at the top of the detail view — you do not need to open the edit form for those. Click the responsible person field to open a people picker, or click the coloured status badge to open the status dropdown. Both save immediately when you make a selection.

Running a periodic review of a TOM

A typical quarterly review workflow looks like this:

  • On the TOMs index, click the Review status tab. The table now shows only TOMs currently flagged for review — the ones your team has moved into that state when their review cycle was due.
  • Click the first TOM in the list. Use the (next record) chevron in the breadcrumb bar to step through the review list in order without returning to the index each time.
  • On each TOM, check the General tab for accuracy. Use the Edit button if content needs updating. Check the Documents tab to confirm that supporting policies are still attached. Open the Relevant Risk Scenarios tab to verify that the TOM still covers the right threats.
  • Once you are satisfied, click the status badge in the sticky header and switch the status from Review back to Active. DPMS records the change immediately.
  • If your organisation uses structured approval cycles, open the Review & Approvals tab and trigger the appropriate workflow. Completion of that workflow will update the "last reviewed" date shown in the sticky header.

Verifying the change history before an audit

Before an external audit, you may need to demonstrate that your controls have been actively maintained. Open the TOM in question, then click the clock icon in the top-right corner of the detail view. A slide-in panel opens showing the full Activity Log — every field change, status transition, and responsible person update, each with a timestamp and the name of the user who made it.

This gives you an out-of-the-box audit trail without any additional configuration. When you are done, close the panel and, if you need a spreadsheet, return to the index and use the XLSX export button to download the full filtered list.

Importing a batch of TOMs from a file

If you are migrating from another system or receiving a set of pre-defined controls from a parent organisation, you can import TOMs in bulk. On the TOMs index, click Create to open the dropdown, then select Import. Your operating system's file picker opens. Select your .json file and confirm. DPMS imports each record in the file and returns you to the index, where the newly imported TOMs appear — each in Draft status, ready for individual review and activation.

Heads up: DPMS does not deduplicate on import. If your file contains TOMs that already exist in the system, you will end up with duplicates. Always scan the existing list before importing a batch.

Field reference

Field

What to enter

Required?

Name

A clear, descriptive label for the control measure. Supports multiple languages if your organisation has more than one locale configured.

Yes

Type

Technical Measure or Organisational Measure. Use this to separate IT controls from process/policy controls in reports.

No, but recommended

Domain

The security domain this measure addresses (e.g. Confidentiality, Integrity, Availability, Physical Security, Access Control).

No, but recommended

Standard

The compliance framework this control is aligned with (ISO 27001, NIST, SOC 2, etc.).

No

Classification

One or more free-form tags for grouping controls (e.g. "Encryption", "HR Controls"). You can create new tags by typing. Shared across all TOMs in your organisation.

No

Description

A detailed explanation of what the measure does and how it is implemented. This is the main evidence text and is inline-editable on the detail view.

No, but strongly recommended

Status

The lifecycle stage of the TOM. Defaults to Draft on creation. Available options: Draft, Active, Inactive, Review, plus any custom statuses configured in Compliance Settings.

A default is pre-filled

Responsible Person(s)

The user(s) accountable for this control. Multi-select from your organisation's user directory.

No, but strongly recommended

How this connects to the rest of DPMS

TOMs sit at the centre of the compliance data model. Almost every other module can link to them:

  • Assets — The Asset Register shows which TOMs are implemented on each asset and calculates a maturity score from that linkage. A TOM without linked assets will show no maturity data.
  • Risk Scenarios — Each risk scenario can reference the TOMs that mitigate it. This linkage feeds the risk coverage analysis; without it, risk scenarios will appear under-mitigated even if the controls exist.
  • ROPA & DPIA — Records of processing activities and data protection impact assessments both have a TOM tab where relevant controls are listed. Linking TOMs here demonstrates that privacy-by-design obligations are met.
  • Documents — Attach policy documents and evidence files to the TOM via the Documents tab. These appear directly on the TOM detail page.
  • Tasks & Assessments — Follow-up actions and formal assessments can be linked to a TOM to track remediation or compliance checks.
  • Vendors & Projects — Controls relevant to third-party processing or specific projects can be linked here for a complete picture.

After finishing your work on a TOM, consider linking it to the relevant assets and risk scenarios straight away — this is the step that actually activates the maturity and risk coverage calculations visible in dashboards and reports.

Tips & common pitfalls

Heads up: A brand-new TOM will always show a blank Maturity column on the index. Maturity is only calculated once the TOM is linked to at least one risk scenario. Head to the Relevant Risk Scenarios tab (in the edit form) to make that connection.
Tip: Use the status filter tabs on the index during review cycles. Filtering to Review gives you a focused work list — and the chevron on the detail page lets you move through that list record by record without bouncing back to the index each time.
  • Classification tags are organisation-wide. When you create a new tag on the fly during TOM creation, it becomes available on every TOM in the system. Agree on a naming convention with your team upfront to avoid near-duplicates like "Encryption", "Encryption at rest", and "Encryption (AES)".
  • Custom statuses may differ between organisations. If a colleague reports not seeing a status you expected (for example, a custom "Pending Certification" status), the explanation is usually that your Compliance Settings → Statuses configuration differs. An administrator can add or adjust statuses there.
  • The Activity Log and edit controls disappear on consulted objects. If your organisation receives a TOM shared from a partner organisation, that record is read-only. The clock icon and the options menu are intentionally hidden — changes can only be made by the originating organisation.
  • The inline description editor is only available one TOM at a time. There is no bulk-edit facility for the description field. For large-scale content updates, the JSON import/export route is the most efficient path.
  • Review & Approvals needs a workflow template to work. If the Review & Approvals tab appears empty when you open it, it means no workflow template has been configured for TOMs yet. An administrator needs to set one up in Compliance Settings before review cycles can be triggered from here.


Was this article helpful?

English
Powered by Product Fruits