IAPP CIPM BODY

OF KNOWLEDGE
VERSION 4.0.0 EFFECTIVE DATE: 10/02/2023
 IAPP CIPM BODY OF KNOWLEDGE

UNDERSTANDING THE IAPP’S BODY OF WHAT TYPES OF QUESTIONS WILL BE

KNOWLEDGE ON THE EXAM?
The main purpose of the body of knowledge For the certification candidate, the performance
(BoK) is to document the knowledge and skills indicators are guides to the depth of knowledge
that will be assessed on the certification exam. required to demonstrate competency. The verbs
The domains reflect what the privacy professional that begin the skill and task statements (identify,
evaluate, implement, define) signal the level of
should know and be able to do to show
complexity of the exam questions and find their
competency in this designation.
corollaries on the Bloom’s Taxonomy (see next
The body of knowledge also includes the Exam page).
Blueprint numbers, which show the minimum and
maximum number of questions from each Domain
ANAB ACCREDITATION
that will be found on the exam. The IAPP’s CIPM, CIPP/E, CIPP/US and CIPT
credentials are accredited by the ANSI National
The body of knowledge is developed and Accreditation Board (ANAB) under the
maintained by the subject matter experts that International Organization for Standardization
constitute each designation exam development (ISO) standard 17024: 2012.
board and scheme committee. The BoK is
ANAB is an internationally recognized accrediting
reviewed (and, if necessary, updated) every year; body that assesses and accredits certification
changes are reflected in the annual exam updates programs that meet rigorous standards.
and communicate to candidates at least 90 days
Achieving accreditation is a tremendous
before the new content appears in the exam.
acknowledgement of the quality and integrity
COMPETENCIES AND of the IAPP’s certification programs, which:
PERFORMANCE INDICATORS • Demonstrates that IAPP credentials meet a
Instead of the former outline format we used global, industry-recognized benchmark.
for our bodies of knowledge, we now represent • Ensures IAPP credentials are consistent,
the content as a series of Competencies and comparable, and reliable worldwide.
Performance Indicators. • Protects the integrity and ensures the validity
of the IAPP certification program.
Competencies are clusters of connected tasks
• Promotes to employers, colleagues, clients,
and abilities that constitute a broad knowledge
and vendors that IAPP-certified professionals
domain.
have the necessary knowledge, skills, and
Performance Indicators are the discrete tasks and abilities to perform their work anywhere
abilities that constitute the broader competence in the world.
group. Exam questions assess a privacy
professional’s proficiency on the performance
indicators.

Approved by: CIPM EDB Effective Date: 10/02/2023

Approved on: 3/21/2023 PAGE 2 OF 9 Version 4.0.0
Supersedes: 3.0.0
 IAPP CIPM BODY OF KNOWLEDGE

Produce new or original work

Design, assemble, construct, conjecture,
CREATE develop, formulate, author, investigate.
Justify a stand or decision
Appraise, argue, defend, judge,
select, support, value, critique, weigh. EVALUATE
Draw connection among ideas
Differentiate, organize, relate, compare, contrast,
ANALYZE distinguish, examine, experiment, question, test.
Use information in new situations
Execute, implement, solve, use, demonstrate,
interpret, operate, schedule, sketch. APPLY

Explain ideas or concepts

Classify, describe, discuss, explain, identify,
UNDERSTAND locate, recognize, report, select, translate.
Recall facts and basic concepts
Define, duplicate, list, memorize,
repeat, state REMEMBER

Examples of Remember / Understand retired Examples of Apply / Analyze retired questions

questions from various designations: from various designations:
• Which of the following is the correct definition • Which of the following poses the greatest
of Privacy-Enhancing Technologies? challenge for a European Union data
• To which type of activity does the Canadian controller in the absence of clearly defined
Charter of Rights apply? contractual provisions?
• Which European Union institution is vested • Which of the following examples would
with the competence to propose data constitute a violation of territorial privacy?
protection legislation? • What is the best way to ensure that all
• Who has rulemaking authority for the Fair stakeholders have the same baseline
Credit Reporting Act (FCRA) and the Fair and understanding of the privacy issues facing an
Accurate Credit Transactions Act (FACTA)? organization?
• If the Information Technology engineers
The answers to these questions are a fact and
originally set the default for customer credit
cannot be disputed.
card information to “Do Not Save,” this action
would have been in line with what concept?

The answer to this question will be based upon

factual knowledge and an understanding that
allows for application, analysis and/or evaluation
of the options provided to choose the best answer.

Approved by: CIPM EDB Effective Date: 10/02/2023

Approved on: 3/21/2023 PAGE 3 OF 9 Version 4.0.0
Supersedes: 3.0.0
 IAPP CIPM BODY OF KNOWLEDGE

MIN MAX
Domain I: Privacy Program:
Developing a Framework

Domain I –Privacy Program: Developing a Framework documents the preliminary

tasks required to create a solid foundation for the privacy program, the purposes of the
14 18 program and who is responsible for the program. It focuses on establishing the privacy
program governance model within the context of the organization’s privacy strategy. As
each organization may have its own needs, the model could vary among organizations.

Competencies Performance Indicators

Choose applicable governance model.

Identify the source, types and uses of personal

Define program scope & information (PI) within the organization.
4 6 I.A develop a privacy strategy.
Structure the privacy team.

Identify stakeholders and internal partnerships.

Create awareness of the organization’s privacy

program internally and externally.
Communicate
Ensure employees have access to policies and
4 6 I.B organizational vision
procedures and updates relative to their role(s).
and mission statement.
Adopt privacy program vocabulary
(e.g., incident vs breach).

Understand territorial, sectoral and industry

regulations and/or laws.

Understand penalties for non-compliance.

Indicate in-scope laws,
5 7 I.C regulations and standards Understand scope and authority of
applicable to the program. oversight agencies.

Understand privacy implications of doing business

or basing operations in countries with inadequate
privacy laws.

Approved by: CIPM EDB Effective Date: 10/02/2023

Approved on: 3/21/2023 PAGE 4 OF 9 Version 4.0.0
Supersedes: 3.0.0
 IAPP CIPM BODY OF KNOWLEDGE

MIN MAX
Domain II: Privacy Program:
Establishing Program Governance

Domain II - Privacy Program: Establishing Program Governance identifies how the

privacy requirements will be implemented across the organization through all stages
12 16 of the privacy life cycle. The Domain focuses on the roles, responsibilities and training
requirements of the various stakeholders, and the policies and procedures that will be
followed to ensure continuous compliance.

Competencies Performance Indicators

Establish the organizational model, responsibilities,
and reporting structure appropriate to size of
organization.
Define well-designed policies related to the
Create policies and processing of the organization’s data holdings, data
processes to be followed sharing, taking into account both legal and ethical
6 8 II.A across all stages of the requirements.
privacy program life cycle. Identify collection points considering transparency
and integrity limitations of collection of data.

Create a plan for breach management.

Create a plan for complaint handling procedures.

Define the roles and responsibilities for managing
the sharing and disclosure of data for internal and
external use.
Clarify roles and Define roles and responsibilities for breach response
1 3 II.B responsibilities. by function, including stakeholders and their
accountability to regulators, coordinating detection
teams (e.g., IT, physical security, HR, investigation
teams, vendors) and establishing oversight teams.
Create metrics per audience and/or identify intended
audience for metrics with clear processes describing
purpose, value and reporting of metrics.
Understand purposes, types and life cycles of audits
Define privacy metrics for
2 4 II.C oversight and governance.
in evaluating effectiveness of controls throughout
organization’s operations, systems and processes.
Establish monitoring and enforcement systems to
track multiple jurisdictions for changes in privacy law
to ensure continuous alignment.
Develop targeted employee, management,
and contractor trainings at all stages of the
privacy life cycle.
Establish training and
1 3 II.D awareness activities. Create continuous privacy program activities
(e.g., education and awareness, monitoring internal
compliance, program assurance, including audits,
complaint handling procedures).

Approved by: CIPM EDB Effective Date: 10/02/2023

Approved on: 3/21/2023 PAGE 5 OF 9 Version 4.0.0
Supersedes: 3.0.0
 IAPP CIPM BODY OF KNOWLEDGE

MIN MAX
Domain III: Privacy Program Operational Life Cycle:
Assessing Data

Domain III - Privacy Program Operational Life Cycle: Assessing Data encompasses
how to identify and minimize privacy risks and assess the privacy impacts associated
12 16
with an organization’s systems, processes, and products. Addressing potential
problems early will help to establish a more robust privacy program.

Competencies Performance Indicators

Map data inventories, map data flows, map data life
cycle and system integrations.
Document data Measure policy compliance against internal and
3 5 III.A governance systems. external requirements.
Determine desired state and perform gap analysis
against an accepted standard or law.
Identify risks of insourcing and outsourcing data,
including contractual requirements and rules of
international data transfers.
Evaluate processors and
1 3 III.B third-party vendors. Carry out assessments at the most appropriate
functional level within the organization (e.g.,
procurement, internal audit, information security,
physical security, data protection authority).
Identify operational risks of physical locations
(e.g., data centers and offices) and physical controls
Evaluate physical and
0 2 III.C environmental controls.
(e.g., document retention and destruction, media
sanitization and disposal, device forensics and
device security).
Identify operational risks of digital processing
(e.g., servers, storage, infrastructure and cloud).
Review and set limits on use of personal data
3 5 III.D Evaluate technical controls. (e.g. role-based access).
Review and set limits on records retention.
Determine the location of data, including
cross-border data flows.
Complete due diligence procedures.
Evaluate risks associated
with shared data in Evaluate contractual and data sharing obligations,
2 4 III.E mergers, acquisitions, including laws, regulations and standards.
and divestitures.
Conduct risk and control alignment.

Approved by: CIPM EDB Effective Date: 10/02/2023

Approved on: 3/21/2023 PAGE 6 OF 9 Version 4.0.0
Supersedes: 3.0.0
 IAPP CIPM BODY OF KNOWLEDGE

MIN MAX
Domain IV: Privacy Program Operational Life Cycle:
Protecting Personal Data

Domain IV - Privacy Program Operational Life Cycle: Protecting Personal Data

outlines how to protect data assets during use through the implementation of
9 13 effective privacy and security controls and technology. Regardless of size, geographic
location, or industry, data must be physically and virtually secure at all levels of the
organization.

Competencies Performance Indicators

Classify data to the applicable classification scheme
(e.g., public, confidential, restricted).
Understand purposes and limitations of different
Apply information security controls.
4 6 IV.A practices and policies. Identify risks and implement applicable access
controls.
Use appropriate organizational measures to mitigate
any residual risk.

Integrate the main Integrate privacy through the System Development

Life Cycle (SDLC).
1 3 IV.B principles of Privacy by
Design (PbD). Integrate privacy through business process.
Verify that guidelines for secondary uses of
data are followed.
Verify that administrative safeguards such as
vendor and HR policies, procedures and contracts
Apply organizational are applied.
guidelines for data use and
3 5 IV.C ensure technical controls Ensure applicable employee access controls and
are enforced. data classifications are activated.
Collaborate with privacy technologists to
enable technical controls for obfuscation,
data minimization, security and other privacy
enhancing technologies.

Approved by: CIPM EDB Effective Date: 10/02/2023

Approved on: 3/21/2023 PAGE 7 OF 9 Version 4.0.0
Supersedes: 3.0.0
 IAPP CIPM BODY OF KNOWLEDGE

MIN MAX
Domain V: Privacy Program Operational Life Cycle:
Sustaining Program Performance

Domain V - Privacy Program Operational Life Cycle: Sustaining Program

Performance details how the privacy program is sustained using pertinent metrics
7 9 and auditing procedures. As an organization moves through the cycles of managing
their privacy program, it is important to ensure that all processes and procedures are
functioning effectively and are replicable going forward.

Competencies Performance Indicators

Determine appropriate metrics for different
objectives and analyze data collected through
metrics (e.g., trending, ROI, business resiliency,
Use metrics to measure PMM).
1 3 V.A the performance of the
privacy program. Collect metrics to link training and awareness
activities to reductions in privacy events and
continuously improve the privacy program based on
the metrics collected.
Understand the types, purposes, and life cycles
of audits in evaluating effectiveness of controls
throughout organization’s operations, systems and
processes.
Select applicable forms of monitoring based
1 3 V.B Audit the privacy program.
upon program goals (e.g., audits, controls,
sub-contractors) and complete compliance
monitoring through auditing of privacy policies,
controls, and standards, including against industry
standards, regulatory and/or legislative changes.
Conduct risk assessments on systems, applications,
processes, and activities.
Understand the purpose and life cycle for each
assessment type (e.g., PIA, DPIA, TIA, LIA, PTA).
Manage continuous Implement risk mitigation and communications with
3 5 V.C assessment of the privacy internal and external stakeholders after mergers,
program. acquisitions, and divestitures.
Ensure AI usage is ethical, unbiased, meets data
minimization and purpose limitation expectations
and is in compliance with any regulations and/or
privacy laws.

Approved by: CIPM EDB Effective Date: 10/02/2023

Approved on: 3/21/2023 PAGE 8 OF 9 Version 4.0.0
Supersedes: 3.0.0
 IAPP CIPM BODY OF KNOWLEDGE

MIN MAX
Domain VI: Privacy Program Operational Life Cycle:
Responding to Requests and Incidents

Domain VI - Privacy Program Operational Life Cycle: Responding to Requests and

Incidents documents the activities involved in responding to privacy incidents and
10 14 the rights of data subjects. Based upon the applicable territorial, sectoral and industry
laws and regulations, organizations must ensure proper processes for information
requests, privacy rights and incident responses.

Competencies Performance Indicators

Ensure privacy notices and policies are transparent
and clearly articulate data subject rights.
Comply with organization’s privacy policies around
consent (e.g., withdrawals of consent, rectification
Respond to data subject requests, objections to processing, access to data
5 7 VI.A access requests and and complaints).
privacy rights. Understand and comply with established
international, federal, and state legislations around
data subject’s rights of control over their personal
information (e.g., GDPR, HIPAA, CAN-SPAM, FOIA,
CCPA/CPRA).

Conduct a risk assessment about the incident.

Perform containment activities.

Identify and implement remediation measures.
Follow organizational
3 5 VI.B incident handling and Communicate to stakeholders in compliance with
response procedures. jurisdictional, global and business requirements.
Engage privacy team to review facts, determine
actions and execute plans.
Maintain an incident register and associated records
of the incident.
Carry out post-incident reviews to improve the
Evaluate and modify effectiveness of the plan.
1 3 VI.C current incident
response plan. Implement changes to reduce the chance of further
breaches.

Approved by: CIPM EDB Effective Date: 10/02/2023

Approved on: 3/21/2023 PAGE 9 OF 9 Version 4.0.0
Supersedes: 3.0.0