TOM (Technical and Organizational Measures) is the GDPR term for all safeguards an organization implements to protect personal data. Article 32 GDPR requires these measures to be appropriate to the level of risk. Technical measures include encryption and access restrictions; organizational measures cover training and policies. In an ISMS, TOMs overlap significantly with information security controls. Clean documentation of your TOMs simplifies both data protection and ISMS audits.