Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Browse TOMsCreate a TOMEdit a TOMTOM detail page
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

TOM detail page

Inspect linked risk scenarios, assets, vendors and tasks for a single TOM.

TOM Detail Page

The TOM detail page is your single window into everything about one specific Technical or Organisational Measure (TOM) — the documented security and privacy controls that sit at the heart of your organisation's compliance programme. Whether you are a Data Protection Officer reviewing an upcoming audit, a compliance officer checking which processing activities depend on a control, or an information security manager tracking implementation progress across your IT assets, this is where you do that work. Because TOMs connect to risk scenarios, assets, ROPA entries, DPIAs, vendors, projects, assessments, and workflows simultaneously, changes you make here — even something as simple as updating a status — ripple outward to affect risk calculations, ROPA completeness scores, and DPIA technical-measures sections across the entire system.

How to open it

Navigate to Controls → TOMs in the left-hand application sidebar. Click any row in the TOMs list to open its detail page. The URL will be in the form /toms/detail/{id}.

You need at least read permission for TOMs to see this page at all. If your account does not have that access, DPMS shows a "403 Forbidden" screen instead of the detail layout. If you also need to make changes — updating the status, reassigning the responsible person, or editing the description — you will need edit permission for TOMs. The Workflows tab additionally requires workflow-assignment permission before you can trigger or manage approval processes.

Screenshot

What you see

The page is split into two main areas. On the far left is a narrow vertical strip with a small circle icon — this is the toggle for the element menu, a vertical navigation list that lets you jump between the TOM's different sections (General, Documents, Risk Scenarios, Assets, ROPA, DPIA, Vendors, Projects, Tasks, Assessments, and Workflows). Clicking the circle collapses or expands this menu; DPMS remembers your preference the next time you open the page.

Across the top of the right-hand content area is a sticky header bar that stays visible no matter which tab you are on. It shows the TOM's current lifecycle status (as a coloured badge), the responsible person(s), and — if a review workflow has ever been completed — the date of the last review and who the reviewers were. To the right of this bar sit the three-dot options menu and the Activity Log (clock) icon, which opens a full changelog drawer.

Immediately below the sticky header is a breadcrumb bar showing the module name ("TOMs") as a clickable link back to the list, followed by the TOM's name and the currently active tab. Two small chevron arrows in the breadcrumb let you navigate to the previous or next TOM in your current filtered list without going back to the index — very handy when working through a batch of reviews.

The main content area below renders the currently selected tab. Each tab has a card-style panel with its own heading and a table or data view.

Working with this screen

Reviewing a TOM's core information for the first time

When you land on a newly created TOM, the General tab is open by default. This tab shows the TOM's Name, Description, Domain (the security or privacy area it covers, such as "IT Security" or "Physical Security"), the Standard it aligns to (for example, ISO 27001 or GDPR Article 32), its Type, and any Classification tags.

If you notice that the description is missing or incomplete, you can fix it immediately without leaving the page. Click inside the description text area — if you have edit permission, it becomes a rich-text editor. Type or paste your changes, then click the inline save button that appears. DPMS saves the update to the server immediately. This is the only field on the detail page that supports in-place editing; all other fields require you to go to the edit form (see below).

Once you have reviewed the General tab, use the breadcrumb tab arrows (or click the next item in the left-side element menu) to step through the other sections. When the TOM is ready to be formally activated, click the status badge in the sticky header, select the new status from the dropdown (for example, "Active"), and the change is saved instantly — there is no separate Save button for status changes.

Changing who is responsible for a TOM

The Responsible Person selector in the sticky header shows the current owner(s) of the TOM. If ownership needs to change — for example, when a team member moves to a different role — click the selector to open a person-picker, add or remove people, and the change is committed to the backend automatically. Because this information is used to determine "edit only assigned" access, updating it may affect which users can subsequently edit the TOM.

Understanding where a TOM has been applied (Assets tab)

If you need to answer the question "Is this control actually implemented on all the assets it is supposed to protect?", click Assets in the left-side element menu. The Assets tab lists every IT asset that is linked to this TOM through a risk scenario. Each row shows an asset and its current implementation status.

Click any row to expand an inline detail panel showing maturity information, implementation details, and linked tasks for that specific asset. Only one row can be expanded at a time. This panel gives you a quick gap-analysis view without navigating away from the TOM. If you identify an asset where the TOM has not yet been implemented, you can note the asset's name and navigate to it from the Asset detail page (via the link in the expanded row) to take further action.

Heads up: Assets appear in this tab because they are connected to the TOM through risk scenarios, not through a direct TOM-to-asset link. If you linked an asset directly to DPMS but did not connect it to a risk scenario that references this TOM, it will not show up here. This is the most common reason users report "missing" assets on this tab.

Checking which ROPA entries and DPIAs depend on this TOM

Click ROPA in the left-side element menu to see all Records of Processing Activities that cite this TOM as a technical or organisational measure. Click any row to navigate directly to that ROPA record. Do the same with the DPIA tab to trace which Data Protection Impact Assessments reference this TOM as a mitigation.

This view is read-only on the detail page. If you need to link or unlink a ROPA or DPIA, you must open the respective edit form for the ROPA or DPIA record — or open the TOM's own edit form and manage the linkages from there.

Navigating linked vendors, projects, tasks, and assessments

The Vendors, Projects, Tasks, and Assessments tabs each show a linked-object table. These tabs are read-only in the detail view. Click any row to navigate to that object's detail page.

The Tasks tab is particularly useful for tracking remediation work: it shows all tasks that have been formally linked to this TOM, giving you a single place to check whether outstanding implementation actions are on track.

Editing the TOM's full details (documents, linked elements, etc.)

The detail page is primarily a read-only view. To add or remove linked documents, risk scenarios, vendors, tasks, or assessments, click the edit icon (pencil) inside the General card, or open the three-dot options menu in the upper right and choose the relevant option. Both routes take you to the TOM's edit form. From there you can switch between tabs (General, Documents, Risk Scenarios, Assets, and so on) to manage all linked elements. When you save from the edit form, you are returned to the detail page.

Monitoring and triggering approval workflows

Click Workflows in the left-side element menu. You will see an overview of all workflows ever associated with this TOM. Inside the Workflows section there are two sub-tabs: Overview (the full workflow history) and Required Action (any steps currently waiting for your action or someone else's). If you have workflow-assignment permission, you can trigger a new review or approval workflow from this tab. Once a workflow is completed, the reviewer's name and review date appear in the sticky header, confirming the TOM has been formally reviewed.

Tip: First-time users often miss the Required Action sub-tab because it is nested inside the Workflows section. If a colleague tells you there is a pending workflow step waiting for you, click Workflows in the left-side menu and then look for the Required Action sub-tab.

Reviewing the audit history

Click the clock icon in the upper right to open the Activity Log drawer. This shows a full chronological list of every change made to this TOM — who changed it, what they changed, and when. This is invaluable during an audit or when investigating an unexpected status change.

Heads up: The Activity Log button is hidden if the TOM was shared from another organisation or if you are viewing it in "consulted" mode. If the clock icon is missing, check whether the URL bar shows a shared-object indicator or ask your administrator.

Field reference

The General tab displays the following fields. All are set via the edit form except Description, which can also be edited inline on the detail page.

  • Name — The TOM's display name in the currently active interface language. Required.
  • Description — A rich-text field explaining what the measure is and how it works. Editable inline on the detail page without going to the edit form.
  • Domain — The security or privacy domain this TOM belongs to (for example, "IT Security", "Physical Security", "HR"). Chosen from a predefined list; translates into the interface language automatically.
  • Standard — The compliance standard or regulation this TOM supports (for example, ISO 27001, GDPR Article 32). Links the TOM to a specific control framework.
  • Type — The category of measure (for example, technical, organisational). Chosen from a predefined list.
  • Classification — One or more classification tags used for filtering and reporting. Optional.

How this connects to the rest of DPMS

The TOM detail page is a hub, not an island. Many other parts of DPMS depend on what is recorded here:

  • ROPA completeness — A ROPA entry's "technical and organisational measures" section draws its content from TOMs that are linked to it. A ROPA that has no linked TOMs will show as incomplete in compliance reports.
  • DPIA technical measures — DPIAs work the same way. If a TOM is not linked to the relevant DPIA, that section of the DPIA will appear empty.
  • Risk and maturity calculations — The Assets tab drives the maturity gap analysis. Without TOMs being linked to assets via risk scenarios, the gap report shows no coverage data.
  • Assessment answers — Assessment questionnaires that ask "which controls are implemented?" draw their answers from the TOMs linked to the relevant element.
  • Workflow approvals — The Workflows tab is the only place on the TOM where an approval or review workflow can be monitored or acted on. The "last reviewed" date in the header only appears after a workflow with a reviewer has been completed.

After finishing on this page, consider checking:

  • Whether the linked ROPA entries and DPIAs are complete (navigate from the ROPA and DPIA tabs).
  • Whether all relevant assets show the TOM as implemented (Assets tab, inline expand).
  • Whether a review workflow should be triggered now that the TOM is updated (Workflows tab).

Tips & common pitfalls

Tip: Status and responsible-person changes save immediately — there is no Save button for these fields. If you click the wrong status by mistake, click it again straight away to change it back.
Heads up: Almost everything on the detail page is read-only. The only in-place edits available without going to the edit form are the Description field and the Status and Responsible Person controls in the sticky header. If you need to add documents, link new risk scenarios, or attach assessments, you must go to the edit form first.
  • Custom statuses won't appear unless configured. The status dropdown only shows company-specific statuses (beyond the built-in Draft, Active, Inactive, Review) if an administrator has created them under Compliance Settings → Statuses. If a required status is missing, contact your DPMS administrator.
  • Assets are linked via risk scenarios, not directly. If an asset is missing from the Assets tab, check that a risk scenario linking both this TOM and that asset exists. A direct asset-to-TOM link is not sufficient.
  • The breadcrumb arrows navigate your current filtered list. If you filtered the TOMs list by domain before opening this record, the previous/next arrows in the breadcrumb navigate only within that filtered set — making it efficient to review a group of related TOMs one after another.
  • The Activity Log is hidden for shared TOMs. If you are viewing a TOM that was shared to your organisation by a parent company or partner, the clock icon will not appear. Change history for shared objects is managed by the originating organisation.


Was this article helpful?

English
Powered by Product Fruits