Official IAPP
CIPM textbooks
4-hour
online sessions
Classroom
training
CIPM exam
voucher
Exam
preparation
1st year
IAPP membership
The Certified Information Privacy Manager (CIPM) is the first and only qualification in privacy programme management. Developed by the International Association of Privacy Professionals (IAPP) in 2013, the CIPM is the perfect companion to both the IAPP CIPP/E and BCS Practitioner Certificate in Data Protection. Holders of the award develop an understanding of the capabilities required to implement, maintain and manage a privacy programme through every stage of its lifecycle. By obtaining the CIPP/E certification, practitioners can significantly improve their career prospects and lifetime earnings. Award holders will join an elite group of highly decorated, globally recognised data protection professionals.
Official IAPP
CIPM textbooks
4-hour
online sessions
Classroom
training
CIPM exam
voucher
Exam
preparation
1st year
IAPP membership
The IAPP Certified Information Privacy Manager (CIPM) is an essential professional qualification for industry practitioners already trained in data protection law. Unlike legal-based data protection training courses, the CIPM covers the practical implementation and management of privacy operations, making it an ideal qualification for data protection officers (DPOs) and other senior compliance professionals tasked with developing an organisation-wide culture of privacy and data protection compliance.
The CIPM syllabus (body of knowledge) consists of six distinct domains and requires attendees to evaluate privacy management throughout the operational lifecycle:
To successfully implement a privacy programme, it is important to have the right skills. CIPM holders have the ability to interpret data protection laws and create policies and procedures that organisations can use to establish practical and effective practices.
This CIPM course is delivered online for convenience and for the significant environmental and sustainability benefits it offers. Delegates can gain a recognised practitioner-level workplace qualification at home or from their desk by attending four consecutive 4-hour live online sessions across one week. This accredited IAPP course prepares participants for the 150-minute multiple-choice IAPP Exam.
For the second year running, Freevacy has been shortlisted in the Best Educator category at the PICCASO Privacy Awards. The awards were established to recognise the people making an outstanding contribution to this dynamic and fast-growing sector. The Best Educator award will go to a professor, lecturer, teacher, or training provider who leads by example to inspire and motivate the next generation of privacy professionals.
Who should attend the IAPP Certified Information Privacy Manager?
What you will learn
This accredited CIPM training course is delivered online over 4 consecutive morning sessions (or 2 full days when provided in-company).
The IAPP developed its CIPM Body of Knowledge (BoK) around the skills practitioners will be assessed on during the certification exam. The latest BoK presents the content as a series of competencies and performance indicators. The IAPP ensures its CIPM BoK is always relevant and up to date through consultation with its global community of information privacy practitioners and lawyers.
CIPM is accredited by the ANSI National Accreditation Board (ANAB) under ISO17024: 2012.
The following is extracted from the CIPM BoK Version 4.0:
|
Domain
|
Competencies |
Performance Indicators
|
|
Domain 1:
Developing a privacy programme framework
|
Define programme scope & develop a privacy strategy:
|
Choose an applicable governance model.
|
| Identify the source, types and uses of personal information within the organisation.
|
||
| Structure the privacy team.
|
||
| Identify stakeholders and internal partnerships.
|
||
| Communicate organisational vision and mission statement:
|
Create awareness of the organisation’s privacy programme internally and externally.
|
|
| Ensure employees have access to policies and procedures and updates relative to their role(s).
|
||
|
Adopt privacy programme vocabulary (e.g., incident vs breach).
|
||
|
Domain 2:
Establishing privacy programme governance
|
Create policies and processes to be followed across all stages of the privacy programme life cycle:
|
Establish the organisational model, responsibilities, and reporting structure appropriate to the size of the organisation.
|
| Define well-designed policies related to the processing of the organisation’s data holdings, including data sharing, and taking into account both legal and ethical requirements.
|
||
| Identify collection points considering transparency and integrity limitations of collection of data.
|
||
| Create a plan for breach management.
|
||
| Create a plan for complaint handling procedures.
|
||
| Clarify roles and responsibilities:
|
Define the roles and responsibilities for managing the sharing and disclosure of data for internal and external use.
|
|
| Define roles and responsibilities for breach response by function, including stakeholders and their accountability to regulators, coordinating detection teams (e.g., IT, physical security, HR, investigation teams, vendors) and establishing oversight teams.
|
||
| Define privacy metrics for oversight and governance:
|
Create metrics per audience and/or identify the intended audience for metrics with clear processes describing the purpose, value and reporting of metrics.
|
|
| Understand the purposes, types and life cycles of audits in evaluating the effectiveness of controls throughout the organisation’s operations, systems and processes.
|
||
| Establish monitoring and enforcement systems to track multiple jurisdictions for changes in privacy law to ensure continuous alignment.
|
||
|
Establish training and awareness activities: |
Develop targeted employee, management, and contractor training programmes at all stages of the privacy life cycle.
|
|
| Create continuous privacy programme activities (e.g., education and awareness, monitoring internal compliance, programme assurance, including audits and complaint handling procedures).
|
||
|
Domain 3:
Privacy Programme Operational Life Cycle - Assessing Data
|
Document data governance systems:
|
Map data inventories, map data flows, map data life cycle and system integrations.
|
| Measure policy compliance against internal and external requirements.
|
||
| Determine the desired state and perform a gap analysis against an accepted standard or law. | ||
| Evaluate processors and third-party vendors:
|
Identify risks of insourcing and outsourcing data, including contractual requirements and rules of international data transfers.
|
|
| Carry out assessments at the most appropriate functional level within the organisation (e.g., procurement, internal audit, information security, physical security, data protection authority).
|
||
| Evaluate physical and environmental controls:
|
Identify operational risks of physical locations (e.g., data centres and offices) and physical controls (e.g., document retention and destruction, media sanitisation and disposal, device forensics and device security).
|
|
| Evaluate technical controls:
|
Identify operational risks of digital processing (e.g., servers, storage, infrastructure and cloud).
|
|
| Review and set limits on the use of personal data (e.g. role-based access).
|
||
| Review and set limits on records retention.
|
||
| Determine the location of data, including cross-border data flows.
|
||
| Evaluate risks associated with shared data in mergers, acquisitions, and divestitures:
|
Complete due diligence procedures.
|
|
| Evaluate contractual and data-sharing obligations, including laws, regulations and standards.
|
||
| Conduct risk and control alignment.
|
||
|
Domain 4:
Privacy Programme Operational Life Cycle - Protecting Personal Data
|
Apply information security practices and policies:
|
Classify data to the applicable classification scheme (e.g., public, confidential, restricted).
|
| Understand purposes and limitations of different controls.
|
||
| Identify risks and implement applicable access controls.
|
||
| Use appropriate organisational measures to mitigate any residual risk.
|
||
| Integrate the main principles of Privacy by Design (PbD):
|
Integrate privacy through the System Development Life Cycle (SDLC).
|
|
| Integrate privacy through business processes.
|
||
| Apply organizational guidelines for data use and ensure technical controls are enforced:
|
Verify that guidelines for secondary uses of data are followed.
|
|
| Verify that administrative safeguards such as vendor and HR policies, procedures and contracts are applied.
|
||
| Ensure applicable employee access controls and data classifications are activated.
|
||
| Collaborate with privacy technologists to enable technical controls for obfuscation, data minimisation, security and other privacy-enhancing technologies (PETs).
|
||
|
Domain 5:
Privacy Programme Operational Life Cycle - Sustaining Programme Performance
|
Use metrics to measure the performance of the privacy programme:
|
Determine appropriate metrics for different objectives and analyse data collected through metrics (e.g., trending, ROI, business resiliency, PMM).
|
| Collect metrics to link training and awareness activities to reductions in privacy events and continuously improve the privacy programme based on the metrics collected.
|
||
| Audit the privacy programme:
|
Understand the types, purposes, and life cycles of audits in evaluating the effectiveness of controls throughout the organisation’s operations, systems and processes. | |
| Select applicable forms of monitoring based on programme goals (e.g., audits, controls, sub-contractors) and complete compliance monitoring through auditing of privacy policies, controls, and standards, including against industry standards and regulatory or legislative changes. | ||
| Manage continuous assessment of the privacy programme:
|
Conduct risk assessments on systems, applications, processes, and activities.
|
|
| Understand the purpose and life cycle for each assessment type (e.g., PIA, DPIA, TIA, LIA, PTA).
|
||
| Implement risk mitigation and communications with internal and external stakeholders after mergers, acquisitions, and divestitures.
|
||
| Ensure AI usage is ethical, unbiased, meets data minimisation and purpose limitation expectations and is in compliance with any regulations and/or privacy laws.
|
||
|
Domain 6:
Privacy Programme Operational Life Cycle - Responding to Requests and Incidents
|
Respond to data subject access requests and privacy rights:
|
Ensure privacy notices and policies are transparent and clearly articulate data subject rights.
|
| Comply with the organization’s privacy policies around consent (e.g., withdrawals of consent, rectification requests, objections to processing, access to data and complaints).
|
||
| Understand and comply with established international legislations around data subjects’ rights of control over their personal information (e.g., EU/UK GDPR, PECR, DPA18).
|
||
| Follow organisational incident handling and response procedures:
|
Conduct a risk assessment about the incident.
|
|
| Perform containment activities.
|
||
| Identify and implement remediation measures.
|
||
| Communicate to stakeholders in compliance with jurisdictional, global and business requirements.
|
||
| Engage the privacy team to review facts, determine actions and execute plans.
|
||
| Maintain an incident register and associated records of the incident.
|
||
| Evaluate and modify the current incident response plan:
|
Carry out post-incident reviews to improve the effectiveness of the plan.
|
|
| Implement changes to reduce the chance of further breaches.
|
Once the training aspect of your CIPM course is complete, our trainers make themselves available throughout the self-study period leading up to the exam. We achieve this through email exchanges, one-to-one coaching sessions, and group online exam preparation days.
The topics covered in this CIPM exam preparation session include:
Following the examination prep day, the instructor will offer guidance for further study areas.
IAPP exams have gained a reputation for being difficult to pass. Both Freevacy and the IAPP strongly recommend careful preparation, even for experienced professionals.
The following information about the CIPM examination is an extract from documentation provided to delegates by the IAPP. For the full details please review the IAPP Privacy Certification Candidate Handbook 2023 and the CIPM Examination Blueprint.
IAPP certification programmes are designed to differentiate between candidates who do and who do not possess the knowledge required to be considered minimally qualified privacy professionals. All questions are multiple choice with some relating to scenarios. Each question has only one correct answer. Each item (question) consists of a clearly written question (stem), a correct or best response (key) that should be apparent to minimally qualified candidates and three incorrect responses (distractors) that will be plausible to not-minimally qualified candidates. Note that it is each candidate’s responsibility to be prepared for exams by being familiar with all elements of the Bodies of Knowledge.
Candidates are encouraged to read each question carefully. The stem may be in the form of an actual question or an incomplete statement. An exam question may require the candidate to choose the most appropriate answer based on a qualifier, such as MOST likely or BEST.
| Total number of questions | 90 |
| Scored questions | 70 |
| Exam duration | 2 hours 30 minutes |
| Passing score | 300 out of 500 |
The examination blueprint indicates the minimum and maximum number of items that are included on the CIPP/E examination from the major areas of the Body of Knowledge. Questions may be asked from any of the listed topics under each area.
On all IAPP certification exams, each item has equal value and is scored as correct or incorrect. Unanswered items are considered incorrect, and there is no additional penalty for incorrect answers.
It is the policy of the IAPP to provide testing accommodations to candidates with qualifying disabilities to ensure each candidate a comparable opportunity for success on exams. We require 30 days notice in order to arrange special accommodations. Please do not schedule an exam until the IAPP approves your request. After exam purchase, submit your request and supporting documentation using the forms provided on the IAPP website.
All IAPP examinations are administered in English.
Get this IAPP Certified Information Privacy Manager (CIPM) training course:
£1,750+VAT
10% OFF
Sign-up for our Privacy Newsfeed weekly newsletter to get your discount code. Receive additional offers by selecting training announcements option. Please choose your desired subscription option and then enter your details to subscribe.
Julie is an information and data governance specialist with over 15 years experience, including 7 years as a data protection officer at a law enforcement agency.
As an IAPP instructor, Julie delivers our CIPP/E and CIPM courses. Her expertise covers data protection law, privacy programme management, and implementing privacy-enhancing technologies. Julie's practical and informal approach to data protection training helps delegates to analyse and interpret legislative requirements before applying day-to-day practices.
Read Julie's full bio for more information about her qualifications and experience.
Freevacy has been shortlisted in the Best Educator category. The PICCASO Privacy Awards recognise the people making an outstanding contribution to this dynamic and fast-growing sector.