Are all 12 measures mandatory?

Yes for SMEs above 50 employees with personal data processing. Adjustments per risk possible — but documentation of risk assessment mandatory.

Is ISO 27001 required?

No, GDPR doesn't require certification. But ISO 27001 covers ~80% of TOM requirements + supplier audit reduction + marketing benefit.

MFA via SMS sufficient?

NIST and BSI advise against SMS-OTP. Authenticator app or FIDO2 keys recommended.

How often test backups?

Quarterly minimum. Annual full disaster recovery test.

What about cloud providers?

TOM responsibility is shared. Read AWS/Azure/GCP shared responsibility model. EU region + EU Data Boundary activation mandatory for GDPR.

Cost-effective starting point?

Microsoft 365 E5 + Veeam Backup + Compliance-Kit = ~10-15k EUR/year for KMU 50-100 employees.

TOMs under Art. 32 GDPR: 14 audit-proof measures for SMEs

Published: 26 April 2026 · Last updated: 02 May 2026 · Category: GDPR

Practitioner note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information, consult a licensed attorney.

TL;DR

TOMs under Art. 32 GDPR are mandatory for every controller — proportionate to risk
No minimum list — state of the art (BSI Grundschutz, ISO 27002, ENISA)
14 typical TOMs for a 30-person mechanical engineering company as an example
ISO 27001 covers 80-90 %, gaps in employee data protection + pseudonymisation
Supervisory authorities review TOMs primarily after data breaches — documenting them in advance is mandatory

1. What are TOMs?

Technical and Organisational Measures (TOM) under Art. 32 GDPR are security measures to protect personal data. They cover technical means (encryption, MFA, backup) and organisational procedures (access rights, training, four-eyes principle).

In the GDPR Kit you will find a TOM concept with 14 standard measures + ISO 27001 mapping + annual review template — one-off EUR 490-1,490.

2. Risk-based: what 'appropriate' means

Art. 32(1) lists 4 criteria for appropriateness:

State of the art
Cost of implementation
Nature, scope, context and purposes of processing
Likelihood and severity of risk to rights/freedoms

3. 14 typical TOMs for SMEs

Short answer: Fourteen TOM measures form the practical standard for SMEs: MFA for admin accounts, VPN for remote access, full-disk encryption, daily backup following the 3-2-1 principle, need-to-know access concept, annual training, patch management with a 30-day deadline for Critical, four-eyes principle, server room access control, TLS 1.3, pseudonymisation in test environments, DIN 66399 document destruction, annual penetration test and an incident response plan with a semi-annual tabletop exercise.

#	TOM	Protection objective	Standard solution
1	MFA for all admin accounts	Confidentiality	FIDO2 / TOTP
2	VPN for remote access	Confidentiality, integrity	WireGuard / OpenVPN
3	Full-disk encryption	Confidentiality	BitLocker, FileVault
4	Daily backup	Availability	3-2-1 principle, 30-day retention
5	Need-to-know access concept	Confidentiality, purpose limitation	RBAC + annual review
6	Annual training	Organisation	40-slide e-learning + quiz
7	Patch management	Integrity, availability	30-day deadline for Critical, 90 for High
8	Four-eyes principle	Integrity	For subcontracting, payouts, data export
9	Server room access	Confidentiality	Locked cabinet/room + access log
10	SSL/TLS for web services	Confidentiality, integrity	TLS 1.3, BSI TR-02102
11	Pseudonymisation in test environment	Data minimisation	Faker tools, hash-based
12	Document destruction	Confidentiality	DIN 66399 (P-4 or higher)
13	Penetration test	Effectiveness	Annual, sample-based
14	Incident response plan + tabletop	Resilience	Semi-annual exercise

4. ISO 27001 mapping

Short answer: GDPR TOMs map directly onto ISO 27001 Annex A controls: access control corresponds to A.9, encryption to A.10, physical security to A.11, backup to A.12.3, training to A.7.2.2, incident management to A.16 and supplier management to A.15. Organisations certified to ISO 27001 thereby already cover most Art. 32 requirements.

TOM area	ISO 27001 Annex A
Access control	A.9 (Access Control)
Encryption	A.10 (Cryptography)
Physical security	A.11 (Physical Security)
Backup	A.12.3
Training	A.7.2.2
Incidents	A.16
Suppliers	A.15

5. Review cycle + supervisory practice

Supervisory authorities review TOMs primarily in two situations:

After a reported data breach (Art. 33): were the TOMs appropriate?
During a DPIA consultation (Art. 36): are the TOMs sufficient for the high risk?

Practical standard: annual review + ad hoc after incidents + after material IT changes.

6. Adjusting TOMs after an incident

After every data breach, TOMs MUST be reviewed. Documenting the adjustment is audit-relevant. Frequent adjustments 2024-2026:

MFA rollout after a phishing incident
Permission reduction after an insider incident
Backup test after a ransomware incident
Training after a 'human error' incident

Sources

Regulation (EU) 2016/679 — GDPR (Art. 32) (As of: 2026-05-02)
German Federal Data Protection Act (BDSG) (as of: ongoing)
EDPB Guidelines 04/2022 — Fines (As of: 2026-05-02)