Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Browse TOMsCreate a TOMEdit a TOMTOM detail page
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

Edit a TOM

Update an existing TOM and its relevant risk scenarios.

Editing a TOM (Technical and Organisational Measure)

The TOM edit screen is the central workspace for documenting, maintaining, and connecting every security and privacy safeguard your organisation has put in place. Whether you are creating a brand-new control such as "Encryption at Rest" or updating the risk scenarios, assets, and workflows attached to an existing one, this is where it all happens. Data Protection Officers, compliance coordinators, information security managers, and risk managers all use this screen regularly — because without fully configured TOMs, the platform's gap analysis, maturity dashboards, and risk scenario views will be incomplete.

How to open it

  • In the main navigation sidebar, click TOMs.
  • In the TOM index table, click any row to open the TOM's detail view.
  • Click the Edit button (pencil icon) in the top-right header area, or click directly into any section from the left-side menu to jump straight to that tab's edit form.

To create a brand-new TOM, click the Create button in the top-right of the index page and choose Create new from the dropdown menu.

Permissions required: You need at least read access to view the TOM detail screen. To save any changes, you also need edit access. Creating a new TOM requires create access. Triggering a workflow requires a separate workflow permission. If you lack edit access, all controls will appear disabled, and hovering over them shows a "Missing permission" message.

Screenshot

What you see

The screen is divided into two main zones. On the left sits a vertical Element Menu — a clickable list of every section belonging to this TOM: General, Documents, Relevant Risk Scenarios, Assets, ROPA, DPIA, Vendors, Projects, Tasks, Assessments, Workflows, Trigger Workflow, and Manage Access. Clicking any item instantly switches the right-hand area to that section. The currently active section is highlighted, and you can collapse the menu to a narrow icon strip to gain more working space.

Across the top of the right-hand area you will see a breadcrumb row showing: the word "TOMs" (a clickable link back to the full list), the name of the TOM you are editing, and the name of the active tab. Left and right chevron arrows in the breadcrumb let you jump to the previous or next TOM in your current filtered list without returning to the index — useful when you need to work through a batch of controls one by one.

Immediately below the breadcrumbs is a sticky header strip that stays visible as you scroll. This strip shows the responsible person(s), the current status, and the last-updated and last-review dates. On the far right of the strip is a three-dot options menu (for actions like Manage Access and Sharing) and a clock icon for the Activity Log, which opens a slide-out panel showing who changed what and when.

The main content area below changes completely depending on which tab you have selected. For the General tab it shows a form with labelled fields. For relationship tabs such as Documents, Risk Scenarios, and Assets, it shows a searchable table of linked items with an Add button.

Working with this screen

Creating a new TOM or editing the core details

When you first arrive on the edit screen — either via the Create new option or by clicking the edit icon on an existing TOM — you land on the General tab.

  • Name — Type a clear, plain-language name for the measure, such as "Pseudonymisation of Customer Data" or "Multi-Factor Authentication Policy". This name appears throughout the platform wherever the TOM is referenced, so make it recognisable. The field supports multiple languages if your organisation uses more than one.
  • Type — Select the category of the measure from the dropdown. This helps colleagues filter and report on TOMs by type.
  • Classification — Pick one or more classification tags from the multi-select. These tags (for example "Technical", "Organisational", or "ISO 27001") are defined by your compliance administrator under Compliance Settings → Tags. If the list is empty, ask your administrator to create tags of the correct type first.
  • Description — Write a clear explanation of what the measure does, how it is implemented, and why it exists. This field supports multiple languages and is where auditors and colleagues will look for the substance of the control.
  • Domain — Select the security or compliance area this measure belongs to, such as "Data Confidentiality" or "Integrity".
  • Standard — Select the regulatory or technical framework this measure aligns with, such as ISO 27001 or GDPR Article 32.
  • In the sticky header strip, set the Status (for example "Draft" while you are still configuring the TOM, then "Active" once it is implemented) and assign one or more Responsible Persons who are accountable for this control.
  • Click Save at the bottom of the form. For a brand-new TOM, DPMS creates the record and navigates to the TOM's detail view. For an existing TOM, it saves the changes and keeps you on the same screen. The new or updated TOM immediately becomes available in TOM selection dropdowns across the rest of DPMS — for example, when linking a TOM to a ROPA record or a DPIA.
Heads up: Each tab has its own independent Save button. Saving the General tab does not save any changes you may have made on other tabs. Always click Save before switching tabs if you have made changes.

Linking risk scenarios to a TOM

A TOM only becomes meaningful within the platform's risk analysis once it is connected to the risk scenarios it is designed to address. Without these links, the TOM will not appear in gap analysis results and the maturity dashboards will show those scenarios as uncovered.

  • Click Relevant Risk Scenarios in the left-side Element Menu.
  • The tab shows a table of already-linked scenarios (empty for a new TOM). Click the Add button.
  • A search modal appears. Type part of the scenario name — for example "Unauthorised Access" — select the scenario(s) you want, and confirm.
  • DPMS links the selected scenarios to the TOM. The table now shows the scenario names, their priority, and other key attributes.
  • To remove a link, click the delete icon on the corresponding row.

Once risk scenarios are linked, the Assets tab becomes populated: it shows all assets that are associated with those risk scenarios, so you can immediately see where this TOM needs to be implemented.

Tip: Click any risk scenario row to navigate directly to that scenario's edit screen, where you can review its full configuration.

Reviewing and managing asset implementation

The Assets tab gives you a live view of how well this TOM is deployed across the organisation's asset landscape. It draws its data from the risk scenarios you have linked — so link those first.

  • Click Assets in the Element Menu.
  • The table shows each asset associated with the TOM's linked risk scenarios, along with its implementation status and maturity score.
  • Click on any row to expand it. An inline detail panel appears showing the implementation status for that specific asset-TOM combination, including any related task. Only one row can be expanded at a time.
  • You can use this view to spot assets where the TOM has not yet been implemented (gaps), and then create a task directly from the expanded row to track remediation.

This tab is read-heavy but action-orientated: the maturity data shown here feeds into the platform-wide maturity dashboards and gap analysis reports.

Attaching documents, tasks, and assessments

Each relationship tab follows the same basic pattern: a table of linked items and an Add button to connect more.

  • Documents: Click Documents in the Element Menu, then Add to search for and link existing policies or documents. This ensures the right policies are associated with each control.
  • Tasks: Click Tasks, then Add to attach action items or remediation tasks. Tasks linked here appear on team members' to-do lists and can have deadlines and responsible persons assigned.
  • Assessments: Click Assessments, then Add to link formal assessments to this control. You can bulk-link using the select-all option when your search returns multiple relevant assessments.
  • ROPA, DPIA, Vendors, Projects: These tabs show records from elsewhere in DPMS that reference or relate to this TOM. Click any row to navigate to that record's detail view.
Tip: Each linked-object tab has its own Save action triggered automatically when you add or remove items. You do not need to click a separate save button for relationship changes on these tabs — the link is confirmed as soon as you complete the selection modal.

Triggering and monitoring workflows

When a TOM is due for review — for example, as part of an annual audit cycle — you can start a structured review workflow directly from this screen.

  • Click Trigger Workflow in the Element Menu. (This tab is only visible if you have the workflow trigger permission.)
  • Available workflow templates are listed — for example "Annual Review". Select the template that matches your need.
  • Configure the reviewers, deadline, and any other required settings, then click Save.
  • DPMS creates the workflow and assigns the required actions to the named reviewers. Those reviewers will see a Required Action notification in their DPMS inbox.
  • To monitor the progress of active workflows, click the Workflows tab in the Element Menu. All workflows attached to this TOM are listed here, with their current status. You can also view the detailed Required Action sub-view by selecting a specific workflow from the list.

The sticky header's Last Review Date field is automatically updated once a workflow with reviewers reaches the completed state — giving you a quick at-a-glance indication of currency.

Restricting access to a TOM

If a TOM contains sensitive control details that should only be visible to specific teams or individuals, you can restrict access using the Manage Access tab.

  • Click the three-dot options menu (ellipsis icon) in the sticky header strip and select Manage Access, or click Manage Access directly in the Element Menu.
  • Under Audiences, select one or more audience groups defined in Compliance Settings → Group Management. Each audience group carries its own read or write permission level.
  • Under Users, search for and add individual user accounts who should have direct access.
  • Click Save. DPMS updates the access permissions immediately. From this point, only members of the selected audience groups and the individually named users will be able to see this TOM in their lists and dashboards.

Field reference

Field

What it is

Required

Notes

Name

Plain-language name of the TOM

Yes

Supports multiple languages. Used everywhere the TOM appears in DPMS.

Type

Category of the measure

No

Selected from a fixed list. Used for filtering and reporting.

Classification

One or more tag-based classifications

No

Tags must be created first in Compliance Settings → Tags.

Description

Prose explanation of the measure

No

Supports multiple languages. In the detail view, editable inline with a rich-text editor.

Domain

Security or compliance domain

No

Selected from a fixed list (e.g. "Data Confidentiality").

Standard

Regulatory or technical framework

No

Displayed verbatim (e.g. "ISO 27001", "GDPR Art. 32").

Status

Lifecycle stage of the TOM

Yes (defaults)

Set in the sticky header. Changes are saved immediately without clicking Save.

Responsible Person(s)

Named accountable individual(s)

No

Set in the sticky header. Changes are saved immediately.

How this connects to the rest of DPMS

The TOM you configure here is not a standalone record — it sits at the centre of a web of relationships that drives several other features in DPMS.

What other screens depend on this screen:

  • Risk Scenario detail screens — The "TOMs" tab on any risk scenario lists the controls linked to that scenario. Until you link a TOM to a risk scenario here, it will not appear on that screen.
  • Asset detail screens — The implementation status shown against each asset is read from the data you see on the Assets tab here. Unlinked TOMs produce coverage gaps in the maturity dashboard.
  • ROPA and DPIA detail screens — Both screens show a TOMs sub-section that pulls from links created here.
  • Maturity dashboards — The platform-wide maturity and gap analysis charts are fed by the implementation records on the Assets tab.
  • TOM selection dropdowns — Whenever a colleague links a TOM to a ROPA, DPIA, or assessment elsewhere in DPMS, the list they see is refreshed every time you save a General tab update here.

What to do after finishing this screen:

  • If this is a new TOM, navigate to the relevant Risk Scenario detail screens and confirm the TOM appears under their TOMs tab.
  • If implementation tasks are needed, create them directly from the Assets tab's expanded row view.
  • If the TOM requires periodic review, set up a workflow using the Trigger Workflow tab.
  • If the TOM is sensitive, configure access restrictions using the Manage Access tab before sharing the record with colleagues.

Tips & common pitfalls

Heads up: Saving the General tab does not save linked objects. Every tab — Documents, Risk Scenarios, Assets, Tasks, and so on — operates independently. If you add a risk scenario and then navigate away before saving, your changes on that tab will be lost.
Heads up: The Assets tab will be empty until you have linked at least one risk scenario. The tab shows assets associated with the TOM's risk scenarios, not assets in general. Always visit the Relevant Risk Scenarios tab first.
  • Classification tags must exist before you can use them. If the Classification dropdown is empty, a compliance administrator needs to create tags of the correct type under Compliance Settings → Tags → Classifications.
  • The description field behaves differently in edit mode vs. detail view. In the full edit form (opened via the edit button), the description is a plain text area. On the detail view screen, it becomes a rich-text inline editor that saves directly via its own save button — you do not need to use the tab-level Save button for inline description changes.
  • The back button is suppressed on the Maturity Gaps section. If you navigate to the Maturity Gaps part of the edit form, the standard back-navigation button will not work. Use the "TOMs" breadcrumb link at the top or your browser's history to return.
  • Shared or consulted TOMs show a restricted view. If a TOM has been shared from another organisation or is in Consulted mode, the Activity Log (changelog) button is hidden and some inline edit actions may be suppressed. This is expected behaviour.
  • Status and Responsible Person changes in the sticky header save immediately. You do not need to click the tab-level Save button to persist changes made in the sticky header — they are applied as soon as you make the selection.


Was this article helpful?

English
Powered by Product Fruits