Use this quick start guide to collect all the information about IAPP CIPM Certification exam. This study guide provides a list of objectives and resources that will help you prepare for items on the IAPP Certified Information Privacy Manager (CIPM) exam. The Sample Questions will help you identify the type and difficulty level of the questions and the Practice Exams will make you familiar with the format and environment of an exam. You should refer this guide carefully before attempting your actual IAPP Certified Information Privacy Manager (CIPM) certification exam.
The IAPP CIPM certification is mainly targeted to those candidates who want to build their career in Privacy Laws and Regulations domain. The IAPP Certified Information Privacy Manager (CIPM) exam verifies that the candidate possesses the fundamental knowledge and proven skills in the area of IAPP Information Privacy Manager.
IAPP CIPM Exam Summary:
| Exam Name | IAPP Certified Information Privacy Manager (CIPM) |
| Exam Code | CIPM |
| Exam Price |
First Time Candidate: $550 Retake: $375 |
| Duration | 150 mins |
| Number of Questions | 90 |
| Passing Score | 300 / 500 |
| Books / Training |
CIPM Body of Knowledge and Blueprint CIPM Certification Candidate Handbook |
| Schedule Exam | Pearson VUE |
| Sample Questions | IAPP CIPM Sample Questions |
| Practice Exam | IAPP CIPM Certification Practice Exam |
IAPP Information Privacy Manager Exam Syllabus Topics:
| Topic | Details |
|---|---|
Domain I: Privacy Program: Developing a Framework |
|
| Define program scope and develop a privacy strategy. |
- Identify the source, types and uses of personal information (PI) within the organization. - Understand the organization’s business model and risk appetite. - Choose applicable governance model. - Define the structure of the privacy team. - Identify stakeholders and internal partners. |
| Communicate organizational vision and mission statement. |
- Create awareness of the organization’s privacy program internally and externally. - Ensure employees have access to policies and procedures and updates relative to their role(s). - Adopt privacy program vocabulary (e.g., incident vs breach). |
| Indicate in-scope laws, regulations and standards applicable to the program. |
- Understand territorial, sectoral and industry regulations, laws, codes of practice and/or self-certification mechanisms. - Understand penalties for non-compliance. - Understand scope and authority of oversight agencies. - Understand privacy implications and territorial scope when doing business or basing operations in other countries with differing privacy laws. - Understand the privacy risks posed by the use of AI in the business environment. |
Domain II: Privacy Program: Establishing Program Governance |
|
| Create policies and processes to be followed across all stages of the privacy program life cycle. |
- Establish the organizational model, responsibilities, and reporting structure appropriate to size of organization. - Define policies appropriate for the data processed by the organization, taking into account legal and ethical requirements. - Identify collection points considering transparency requirements and data quality issues around collection of data. - Create a plan for breach management. - Create a plan for complaint handling procedures. - Create data retention and disposal policies and procedures. |
| Clarify roles and responsibilities. |
- Define roles and responsibilities of the privacy team and stakeholders. - Define the roles and responsibilities for managing the sharing and disclosure of data for internal and external use. - Define roles and responsibilities for breach response by function, including stakeholders and their accountability to various internal and external partners (e.g., detection teams, IT, HR, vendors, regulators, oversight teams). |
| Define privacy metrics for oversight and governance. |
- Create metrics per audience and/or identify intended audience for metrics with clear processes describing purpose, value and reporting of metrics. - Understand purposes, types and life cycles of audits in evaluating effectiveness of controls throughout organization’s operations, systems and processes. - Establish monitoring and enforcement systems to track multiple jurisdictions for changes in privacy law to ensure continuous alignment. |
| Establish training and awareness activities. |
- Develop targeted employee, management and contractor trainings at all stages of the privacy life cycle. - Create continuous privacy program activities (e.g., education and awareness, monitoring internal compliance, program assurance, including audits, complaint handling procedures). |
Domain III: Privacy Program Operational Life Cycle: Assessing Data |
|
| Document data governance systems. |
- Map data inventories, map data flows, map data life cycle and system integrations. - Measure policy compliance against internal and external requirements. - Determine desired state and perform gap analysis against an accepted standard or law. |
| Evaluate processors and third-party vendors. |
- Identify and assess risks of outsourcing the processing of personal data (e.g., contractual requirements and rules of international data transfers). - Carry out assessments at the most appropriate functional level within the organization (e.g., procurement, internal audit, information security, physical security, data protection authority). |
| Evaluate physical and environmental controls. | - Identify operational risks of physical locations (e.g., data centers and offices) and physical controls (e.g., document retention and destruction, media sanitization and disposal, device forensics and device security). |
| Evaluate technical controls. |
- Identify operational risks of digital processing (e.g., servers, storage, infrastructure and cloud). - Review and set limits on use of personal data (e.g., role-based access). - Review and set limits on records retention. - Determine the location of data, including cross-border data flows. - Collaborate with relevant stakeholders to identify and evaluate technical controls. |
| Evaluate risks associated with shared data in mergers, acquisitions, and divestitures. |
- Complete due diligence procedures. - Evaluate contractual and data sharing obligations, including laws, regulations and standards. - Conduct risk and control alignment. |
Domain IV: Privacy Program Operational Life Cycle: Protecting Personal Data |
|
| Apply information security practices and policies. |
- Classify data to the applicable classification scheme (e.g., public, confidential, restricted). - Understand purposes and limitations of different controls. - Identify risks and implement applicable access controls. - Use appropriate technical, administrative and organizational measures to mitigate any residual risk. |
| Integrate the main principles of Privacy by Design (PbD). |
- Integrate privacy throughout the System Development Life Cycle (SDLC). - Integrate privacy throughout business process. |
| Apply organizational guidelines for data use and ensure technical controls are enforced. |
- Verify that guidelines for secondary uses of data are followed. - Verify that the safeguards such as vendor and HR policies, procedures and contracts are applied. - Ensure applicable employee access controls and data classifications are in use. - Collaborate with privacy technologists to enable technical controls for obfuscation, data minimization, security and other privacy enhancing technologies. |
Domain V: Privacy Program Operational Life Cycle: Sustaining Program Performance |
|
| Use metrics to measure the performance of the privacy program. |
- Determine appropriate metrics for different objectives and analyze data collected through metrics (e.g., trending, ROI, business resiliency). - Collect metrics to link training and awareness activities to reductions in privacy events and continuously improve the privacy program based on the metrics collected. |
| Audit the privacy program. |
- Understand the types, purposes, and life cycles of audits in evaluating effectiveness of controls throughout organization’s operations, systems and processes. - Select applicable forms of monitoring based upon program goals (e.g., audits, controls, subcontractors). - Complete compliance monitoring through auditing of privacy policies, controls and standards, including against industry standards, regulatory and/or legislative changes. |
| Manage continuous assessment of the privacy program. |
- Conduct risk assessments on systems, applications, processes, and activities. - Understand the purpose and life cycle for each assessment type (e.g., PIA, DPIA, TIA, LIA, PTA). - Implement risk mitigation and communications with internal and external stakeholders after mergers, acquisitions, and divestitures. |
Domain VI: Privacy Program Operational Life Cycle: Responding to Requests and Incidents |
|
| Respond to data subject access requests and privacy rights. |
- Ensure privacy notices and policies are transparent and clearly articulate data subject rights. - Comply with organization’s privacy policies around consent (e.g., withdrawals of consent, rectification requests, objections to processing, access to data and complaints). - Understand and comply with established international, federal, and state legislations around data subject’s rights of control over their personal information (e.g., GDPR, HIPAA, CAN-SPAM, FOIA, CCPA/CPRA). |
| Follow organizational incident handling and response procedures. |
- Conduct an incident impact assessment. - Perform containment activities. - Identify and implement remediation measures. - Communicate to stakeholders in compliance with jurisdictional, global and business requirements. - Engage privacy team to review facts, determine actions and execute plans. - Maintain an incident register and associated records of the incident. |
| Evaluate and modify current incident response plan. |
- Carry out post-incident reviews to improve the effectiveness of the plan. - Implement changes to reduce the likelihood and/or impact of future breaches. |
To ensure success in IAPP Information Privacy Manager certification exam, we recommend authorized training course, practice test and hands-on experience to prepare for IAPP Certified Information Privacy Manager (CIPM) exam.