IAPP Certified Information Privacy Manager (CIPM) Exam Syllabus

CIPM PDF, CIPM Dumps, CIPM VCE, IAPP Certified Information Privacy Manager Questions PDF, IAPP Certified Information Privacy Manager VCE, IAPP Information Privacy Manager Dumps, IAPP Information Privacy Manager PDFUse this quick start guide to collect all the information about IAPP CIPM Certification exam. This study guide provides a list of objectives and resources that will help you prepare for items on the IAPP Certified Information Privacy Manager (CIPM) exam. The Sample Questions will help you identify the type and difficulty level of the questions and the Practice Exams will make you familiar with the format and environment of an exam. You should refer this guide carefully before attempting your actual IAPP Certified Information Privacy Manager (CIPM) certification exam.

The IAPP CIPM certification is mainly targeted to those candidates who want to build their career in Privacy Laws and Regulations domain. The IAPP Certified Information Privacy Manager (CIPM) exam verifies that the candidate possesses the fundamental knowledge and proven skills in the area of IAPP Information Privacy Manager.

IAPP CIPM Exam Summary:

Exam Name IAPP Certified Information Privacy Manager (CIPM)
Exam Code CIPM
Exam Price First Time Candidate: $550
Retake: $375
Duration 150 mins
Number of Questions 90
Passing Score 300 / 500
Books / Training CIPM Body of Knowledge
CIPM Exam Blueprint
GDPR Prep Online Bundle (CIPM)
Schedule Exam Pearson VUE
Sample Questions IAPP CIPM Sample Questions
Practice Exam IAPP CIPM Certification Practice Exam

IAPP Information Privacy Manager Exam Syllabus Topics:

Topic Details

Developing a Privacy Program

Create an organizational vision - Evaluate the intended objective
- Gain executive sponsor approval for this vision
Establish a Data Governance model

- Centralized
- Distributed
- Hybrid

Define a privacy program

- Define program scope and charter
- Identify the source, types, and uses of personal information (PI) within the organization and the applicable laws
- Develop a privacy strategy

  • Business alignment
    - Finalize the business case for privacy
    - Identify stakeholders
    - Leverage key functions
    - Create a process for interfacing within organization
    - Align organizational culture and privacy/data protection objectives
  • Obtain funding/budget for privacy and the privacy team
  • Develop a data governance strategy for processing personal information (e.g. collect, use, access, share, transfer, destroy)
  • Ensure program flexibility in order to incorporate legislative/regulatory/market/business requirements
Structure the privacy team - Establish the organizational model, responsibilities and reporting structure appropriate to the size of the organization (eg Chief Privacy Officer, DPO, Privacy manager, Privacy analysts, Privacy champions, “First responders”)
- Designate a point of contact for privacy issues
- Establish/endorse the measurement of professional competency
Communicate - Create awareness of the organization’s privacy program internally and externally (e.g. PR, Corporate Communication, HR)
- Develop internal and external communication plans to ingrain organizational accountability
- Ensure employees have access to policies and procedures and updates relative to their role

Privacy Program Framework

Develop the Privacy Program Framework - Develop organizational privacy policies, procedures, standards, and/or guidelines
- Define privacy program activities
  • Education and awareness
  • Monitoring and responding to the regulatory environment
  • Monitoring internal privacy policy compliance
  • Data inventories, data flows, and classifications designed to identify what personal data your organization processes
  • Risk assessment (Privacy Impact Assessments [PIAs]) (e,g., DPIAs etc.)
  • Incident response and process, including jurisdictional requirements
  • Remediation oversight
  • Program assurance, including audits
  • Plan inquiry/complaint handling procedures (customers, regulators, etc.)
Implement the Privacy Program Framework - Communicate the framework to internal and external stakeholders
- Ensure continuous alignment to applicable laws and regulations to support the development of an organizational privacy program framework
  • Understand territorial regulations and/or laws (eg GDPR, CCPA, LGPD)
  • Understand sectoral and industry regulations and/or laws (eg HIPAA, GLBA)
  • Understand penalties for noncompliance with laws and regulations
  • Understand the scope and authority of oversight agencies (e.g., Data Protection Authorities, Privacy Commissioners, Federal Trade Commission, etc.)
  • Understand privacy implications of doing business with or basing operations in countries with inadequate, or without, privacy laws
  • Maintain the ability to manage a global privacy function
  • Maintain the ability to track multiple jurisdictions for changes in privacy law

- Understanding data sharing agreements

  • International data sharing agreements
  • Vendor agreement
  • Affiliate and subsidiary agreements
Develop Appropriate Metrics

- Identify intended audience for metrics
- Define reporting resources
- Define privacy metrics for oversight and governance per audience

  • Compliance metrics (examples, will vary by organization
    - Collection (notice)
    - Responses to data subject inquiries
    - Retention
    - Disclosure to third parties
    - Incidents (breaches, complaints, inquiries)
    - Employees trained
    - PIA/DPIA metrics
    - Privacy risk indicators
    - Percent of company functions represented by governance mechanisms
  • Trend Analysis
  • Privacy program return on investment (ROI)
  • Business resiliency metrics
  • Privacy program maturity level
  • Resource utilization

- Identify systems/application collection points

Privacy Operational Life Cycle: Assess

Document current baseline of your privacy program - Education and awareness
- Monitoring and responding to the regulatory environment
- Assess policy compliance against internal and external requirements
- Data, systems and process assessment
  • Map data inventories, flows, lifecycle and system integrations

- Risk assessment methods
- Incident management, response and remediation
- Determine desired state and perform gap analysis against an accepted standard or law (including GDPR)
- Program assurance, including audits

Processors and third-party vendor assessment - Evaluate processors and third-party vendors, insourcing and outsourcing privacy risks, including rules of international data transfer
  • Privacy and information security policies
  • Access controls
  • Where personal information is being held
  • Review and set limits on vendor internal use of personal information
- Understand and leverage the different types of relationships
  • Internal audit
  • Information security
  • Physical security
  • Data protection authority
- Risk assessment
  • Type of data being outsourced
  • Location of data
  • Technologies and processing methods deployed (eg Cloud Computing)
  • Legal compliance
  • Records retention
  • Contractual requirements (incident response, etc.)
  • Determine minimum standards for safeguarding information
  • Cross-border transfers
- Contractual requirements and review process
- Ongoing monitoring and auditing
Physical assessments - Identify operational risk
  • Data centers and offices
  • Physical access controls
  • Document retention and destruction
  • Media sanitization and disposal (e.g., hard drives, USB/thumb drives, etc.)
  • Device forensics
  • Device security (e.g., mobile devices, Internet of Things (IoT), geotracking, imaging/copier hard drive security controls)
Mergers, acquisitions and divestitures - Due diligence procedures
- Review contractual and data sharing obligations
- Risk assessment
- Risk and control alignment
- Post integration planning and risk mitigation
Privacy Assessments and Documentation - Privacy Threshold Analysis (PTAs) on systems, applications and processes
- Define a process for conducting privacy assessments (e.g., PIA, DPIA, TIA, LIA)
  • Understand the life cycle of each assessment type
  • Incorporate privacy assessments into system, process, data life cycles

Privacy Operational Life Cycle: Protect

Information security practices - Access controls for physical and virtual systems
  • Least privileged access (eg need to know)
  • Account management (e.g., provision process)
  • Privilege management

- Technical security controls (including relevant policies and procedures)
- Incident response plans

Privacy by Design (PbD) - Integrate privacy throughout the system development life cycle (SDLC)
- Establish privacy gates as part of the system development framework
- Integrate privacy through business processes
- Communicate with stakeholders the importance of PIAs and PbD
Integrate privacy requirements and representation into functional areas across the organization (eg Information Security, Human Resources, Marketing, Legal and Contracts, Mergers, Acquisitions & Divestitures)  
Technical and Organizational measures - Quantify the costs of technical and organizational controls
- Manage data retention with respect to the organization’s policies
- Define the methods for physical and electronic data destruction
- Define roles and responsibilities for managing the sharing and disclosure of data for internal and external use
- Determine and implement guidelines for secondary uses (ex: research, etc.)
- Define policies related to the processing (including collection, use, retention, disclosure and disposal) of organization’s data holdings, taking into account both legal and ethical requirements
- Implement appropriate administrative safeguards, such as policies, procedures, and contracts

Privacy Operational Life Cycle: Sustain

Monitor - Environment (e.g., systems, applications) monitoring
- Monitor compliance with established privacy policies
- Monitor regulatory and legislative changes
- Compliance monitoring (e.g. collection, use and retention)
  • Internal audit
  • Self-regulation
  • Retention strategy
  • Exit strategy
Audit
- Align privacy operations to an internal and external compliance audit program
  • Knowledge of audit processes and maintenance of an “audit trail”
  • Assess against industry standards
  • Utilize and report on regulator compliance assessment tools

- Audit compliance with privacy policies and standards

- Audit data integrity and quality and communicate audit findings with stakeholders
- Audit information access, modification and disclosure accounting
- Targeted employee, management and contractor training
  • Privacy policies
  • Operational privacy practices (e.g., standard operating instructions), such as
    - Data creation/usage/retention/disposal
    - Access control
    - Reporting incidents
    - Key contacts

Privacy Operational Life Cycle: Respond

Data-subject information requests and privacy rights - Access
- Redress
- Correction
- Managing data integrity
- Right of Erasure
- Right to be informed
- Control over use of data, including objection to processing
- Complaints including file reviews
Privacy incident response - Legal compliance
  • Preventing harm
  • Collection limitations
  • Accountability
  • Monitoring and enforcement
  • Mandatory reporting

- Incident response planning

  • Understand key roles and responsibilities
    - Identify key business stakeholders
    Information security
    Legal
    Head of compliance
    Audit
    Human resources
    Marketing
    Business development
    Communications and public relations
    External parties
  • Establish incident oversight teams
  • Develop a privacy incident response plan
  • Identify elements of the privacy incident response plan
  • Integrate privacy incident response into business continuity planning

- Incident detection

  • Define what constitutes a privacy incident
  • Identify reporting process
  • Coordinate detection capabilities
    - Organization IT
    - Physical security
    - Human resources
    - Investigation teams
    - Vendors

- Incident handling

  • Understand key roles and responsibilities
  • Conduct risk assessment
  • Perform containment activities
  • Identify and implement remediation measures
  • Develop a communications plan to notify executive management
  • Notify regulator, impacted individuals and/or the responsible data controller
- Follow incident response process to ensure meeting jurisdictional, global and business requirements
  • Engage privacy team
  • Review the facts
  • Conduct analysis
  • Determine actions (contain, communicate, etc.)
  • Execute
  • Maintain an incident register and associated records of the incident management
  • Monitor
  • Review and apply lessons learned
- Identify incident reduction techniques
- Incident metrics—quantify the cost of a privacy incident

To ensure success in IAPP Information Privacy Manager certification exam, we recommend authorized training course, practice test and hands-on experience to prepare for IAPP Certified Information Privacy Manager (CIPM) exam.

Rating: 5 / 5 (80 votes)