IAPP-CIPM Exam Format | IAPP-CIPM Course Contents | IAPP-CIPM Course Outline | IAPP-CIPM Exam Syllabus | IAPP-CIPM Exam Objectives

EXAM NUMBER : IAPP-CIPM

EXAM NAME : Certified Information Privacy Manager

TOTAL QUESTIONS : 90

SCORED QUESTIONS : 70

TIME : 2 hours 30 minutes

PASSING SCORES : 300

PASSING PERCENTAGE : 60%



Make data privacy regulations work for your organization by understanding how to implement them in day-to-day operations. Learn to create a company vision, structure a data protection team, develop and implement system frameworks, communicate to stakeholders, measure performance and more.



- How to create a company vision

- How to structure the privacy team

- How to develop and implement a privacy program framework

- How to communicate to stakeholders

- How to measure performance

- The privacy program operational life cycle



The International Association of Privacy Professionals (IAPP) is the largest and most
comprehensive global information privacy community and resource. IAPP helps practitioners
develop and advance their careers, and organizations manage and protect their data.

The IAPP is a not-for-profit association founded in 2000 with a mission to define, support and
improve the privacy profession globally. We are committed to providing a forum for privacy
professionals to share best practices, track trends, advance privacy management issues, standardize
the designations for privacy professionals and provide education and guidance on opportunities in
the field of information privacy.

The IAPP is responsible for developing and launching the gold standard in privacy and data
protection certifications: the Certified Information Privacy Professional (CIPP), the Certified
Information Privacy Manager (CIPM) and the Certified Information Privacy Technologist
(CIPT). The CIPP, CIPM and CIPT are the leading privacy certifications for tens of thousands of
professionals around the world who serve the privacy, data protection, information auditing,
information security, data ethics, legal compliance and risk management needs of their
organizations.

In addition, the IAPP offers a full suite of educational and professional development services and
holds annual conferences that are recognized internationally as the leading forums for the
discussion and debate of issues related to privacy policy and practice.


Contents covered in these IAPP CIPM Questions
---------------------------------------------

- Define program scope and develop a privacy strategy.
- Identify the source, types and uses of personal information (PI) within the organization.
- Understand the organization’s business model and risk appetite.
- Choose applicable governance model.
- Define the structure of the privacy team.
- Identify stakeholders and internal partners.
- Communicate organizational vision and mission statement.
- Create awareness of the organization’s privacy program internally and externally.
- Ensure employees have access to policies and procedures and updates relative to their role(s).
- Adopt privacy program vocabulary (e.g., incident vs breach).

- Indicate in-scope laws, regulations and standards applicable to the program.
- Understand territorial, sectoral and industry regulations, laws, codes of practice and/or self-certification mechanisms.
- Understand penalties for non-compliance.
- Understand scope and authority of oversight agencies.
- Understand privacy implications and territorial scope when doing business or basing operations in other countries with differing privacy laws.
- Understand the privacy risks posed by the use of AI in the business environment.

- Create policies and processes to be followed across all stages of the privacy program life cycle.
- Establish the organizational model, responsibilities, and reporting structure appropriate to size of organization.
- Define policies appropriate for the data processed by the organization, taking into account legal and ethical requirements.
- Identify collection points considering transparency requirements and data quality issues around collection of data.
- Create a plan for breach management.
- Create a plan for complaint handling procedures.
- Create data retention and disposal policies and procedures.

- Clarify roles and responsibilities.
- Define roles and responsibilities of the privacy team and stakeholders.
- Define the roles and responsibilities for managing the sharing and disclosure of data for internal and external use.
- Define roles and responsibilities for breach response by function, including stakeholders and their accountability to various internal and external partners
- detection teams
- IT
- HR
- vendors
- regulators
- oversight teams

- Define privacy metrics for oversight and governance.
- Create metrics per audience and/or identify intended audience for metrics with clear processes describing purpose, value and reporting of metrics.
- Understand purposes, types and life cycles of audits in evaluating effectiveness of controls throughout organization’s operations, systems and processes.
- Establish monitoring and enforcement systems to track multiple jurisdictions for changes in privacy law to ensure continuous alignment.

- Establish training and awareness activities.
- Develop targeted employee, management and contractor trainings at all stages of the privacy life cycle.
- Create continuous privacy program activities
- education and awareness
- monitoring internal compliance
- program assurance
- including audits
- complaint handling procedures

Domain III: Privacy Program Operational Life Cycle: Assessing Data
- Document data governance systems.
- Map data inventories, map data flows, map data life cycle and system integrations.
- Measure policy compliance against internal and external requirements.
- Determine desired state and perform gap analysis against an accepted standard or law.
- Evaluate processors and third-party vendors.
- Identify and assess risks of outsourcing the processing of personal data
- contractual requirements
- rules of international data transfers
- Carry out assessments at the most appropriate functional level within the organization
- procurement
- internal audit
- information security
- physical security
- data protection authority

- Evaluate physical and environmental controls.
- Identify operational risks of physical locations (e.g., data centers and offices) and physical controls
- document retention and destruction
- media sanitization and disposal
- device forensics and device security
- Evaluate technical controls.
- Identify operational risks of digital processing
- servers
- storage
- infrastructure and cloud

- Review and set limits on use of personal data (e.g., role-based access).
- Review and set limits on records retention.
- Determine the location of data, including cross-border data flows.
- Collaborate with relevant stakeholders to identify and evaluate technical controls.
- Evaluate risks associated with shared data in mergers, acquisitions, and divestitures.
- Complete due diligence procedures.
- Evaluate contractual and data sharing obligations, including laws, regulations and standards.
- Conduct risk and control alignment.

Domain IV: Privacy Program Operational Life Cycle: Protecting Personal Data
- Apply information security practices and policies.
- Classify data to the applicable classification scheme
- public
- confidential
- restricted
- Understand purposes and limitations of different controls.
- Identify risks and implement applicable access controls.
- Use appropriate technical, administrative and organizational measures to mitigate any residual risk.

- Integrate the main principles of Privacy by Design (PbD).
- Integrate privacy throughout the System Development Life Cycle (SDLC).
- Integrate privacy throughout business process.
- Apply organizational guidelines for data use and ensure technical controls are enforced.
- Verify that guidelines for secondary uses of data are followed.
- Verify that the safeguards such as vendor and HR policies, procedures and contracts are applied.
- Ensure applicable employee access controls and data classifications are in use.
- Collaborate with privacy technologists to enable technical controls for obfuscation, data minimization, security and other privacy enhancing technologies.

Domain V: Privacy Program Operational Life Cycle: Sustaining Program Performance
- Use metrics to measure the performance of the privacy program.
- Determine appropriate metrics for different objectives and analyze data collected through metrics
- trending
- ROI
- business resiliency
- Collect metrics to link training and awareness activities to reductions in privacy events and continuously improve the privacy program based on the metrics collected.

- Audit the privacy program.
- Understand the types, purposes, and life cycles of audits in evaluating effectiveness of controls throughout organization’s operations, systems and processes.
- Select applicable forms of monitoring based upon program goals
- audits
- controls
- subcontractors
- Complete compliance monitoring through auditing of privacy policies, controls and standards, including against industry standards, regulatory and/or legislative changes.

- Manage continuous assessment of the privacy program.
- Conduct risk assessments on systems, applications, processes, and activities.
- Understand the purpose and life cycle for each assessment type
- PIA
- DPIA
- TIA
- LIA
- PTA
- Implement risk mitigation and communications with internal and external stakeholders after mergers, acquisitions, and divestitures.

Domain VI: Privacy Program Operational Life Cycle: Responding to Requests and Incidents
- Respond to data subject access requests and privacy rights.
- Ensure privacy notices and policies are transparent and clearly articulate data subject rights.
- Comply with organization’s privacy policies around consent
- withdrawals of consent
- rectification requests
- objections to processing
- access to data and complaints

- Understand and comply with established international, federal, and state legislations around data subject’s rights of control over their personal information
- GDPR
- HIPAA
- CAN-SPAM
- FOIA
- CCPA/CPRA

- Follow organizational incident handling and response procedures.
- Conduct an incident impact assessment.
- Perform containment activities.
- Identify and implement remediation measures.
- Communicate to stakeholders in compliance with jurisdictional, global and business requirements.
- Engage privacy team to review facts, determine actions and execute plans.
- Maintain an incident register and associated records of the incident.
- Evaluate and modify current incident response plan.
- Carry out post-incident reviews to improve the effectiveness of the plan.
- Implement changes to reduce the likelihood and/or impact of future breaches.