Map every measure to the control it satisfies — and prove it on demand
When measures aren't mapped, you can't prove they work
When a supervisory authority or auditor asks how you protect personal data, the answer lives in your technical and organizational measures. In most organizations those measures sit in a Word document, a controls matrix, and a few people's heads — and none of them agree.
The hard part is the mapping. Which measure satisfies which control? Which framework requirement is actually covered, and which is asserted but unevidenced? When measures aren't linked to controls, you can't prove a TOM addresses an obligation — or tell which gaps still carry risk.
The result is inconsistent implementation across frameworks, duplicated effort, and an audit scramble every time the question shifts from "do you have measures?" to "show me."
What you can do with TOMs
- Maintain a single TOM catalog with descriptions, in one place across every framework.
- Link each measure to compliance controls and control evidence, so each TOM points to what it satisfies.
- Track implementation status through workflow approval — planned, in progress, implemented.
- Assign responsibility to an organizational unit and a named person for every measure.
- Associate TOMs with risk treatments and supporting documents, connecting the measure to the risk it reduces.
- Bulk-update linked relationships when controls, treatments or owners change across many measures at once.
What it delivers to your program
- Answer "which measure covers this requirement?" instantly — every TOM is mapped to its controls, ready to show.
- Consistent implementation across frameworks — one catalog feeds GDPR, ISO, NIS2 and DORA instead of four diverging copies.
- Clear accountability — every measure has an owner and a unit, so nothing sits unassigned before an audit.
- Residual risk that reflects reality — implementation status feeds risk calculation, so your risk picture tracks what's actually in place.
- Audit-ready evidence on demand — generate TOM implementation reports without rebuilding the picture each time.
Built for compliance
DPMS helps you evidence the specific obligations your TOMs exist to satisfy:
| What DPMS does | Maps to | How |
|---|---|---|
| Documents technical and organizational measures for personal data | GDPR Art. 32 | Measure catalog with descriptions and implementation status |
| Links measures to information-security controls and their evidence | ISO 27001:2022 Annex A | TOM-to-control mapping that supports your Statement of Applicability |
| Evidences risk-management and security measures | NIS2 Art. 21 | Measures tied to risk treatments and responsible owners |
| Documents ICT risk-mitigation measures | DORA Art. 9 | Status tracking and reporting on protective measures |
Why Priverion
In DPMS, TOMs are the shared currency that links controls, risk treatments and assessments — not a standalone register. Because the catalog lives inside one unified privacy and InfoSec platform, a measure you map once flows to the controls it satisfies and the risks it treats, without re-keying.
That connection is the difference. Unlike general-purpose GRC tools where TOMs are static text, here implementation status drives residual-risk calculation across the platform — so marking a measure "implemented" updates your risk picture, not just a status field.
Questions CISOs ask before a demo
Can I map one TOM to controls across multiple frameworks?
Does TOM status affect our risk scores?
Who owns each measure?
Can we update many TOMs at once?
Explore related capabilities
Ready to put every measure on the map?
