mation Priv

for ac
n
yM
I
ed

anag

CIPM
Certifi

er

CIPM
BODY OF KNOWLEDGE
AND EXAM BLUEPRINT
VERSION 4.1.0 EFFECTIVE DATE: 2 Sept. 2024
 ation Priv
orm ac
nf

yM
I
ed

anag
CIPM
Certifi

er
IAPP CIPM BODY OF KNOWLEDGE

UNDERSTANDING THE IAPP’S BODY OF WHAT TYPES OF QUESTIONS WILL BE

KNOWLEDGE ON THE EXAM?
The main purpose of the body of knowledge (BoK) For the certification candidate, the performance
is to document the knowledge and skills that indicators are guides to the depth of knowledge
will be assessed on the certification exam. The required to demonstrate competency. The verbs
domains reflect what the privacy professional that begin the skill and task statements (identify,
evaluate, implement, define) signal the level of
should know and be able to do to show
complexity of the exam questions and find their
competency in this designation.
corollaries on the Bloom’s Taxonomy (see next
The BoK also includes the Exam Blueprint page).
numbers, which show the minimum and maximum
number of questions from each domain that will
ANAB ACCREDITATION
be found on the exam. The IAPP’s CIPM, CIPP/E, CIPP/US and CIPT
credentials are accredited by the ANSI National
The BoK is developed and maintained by the Accreditation Board (ANAB) under the
subject matter experts that constitute each International Organization for Standardization
designation exam development board and scheme (ISO) standard 17024: 2012.
committee. The BoK is reviewed and, if necessary,
ANAB is an internationally recognized accrediting
updated every year; changes are reflected in body that assesses and accredits certification
the annual exam updates and communicated to programs that meet rigorous standards.
candidates at least 90 days before the new content
Achieving accreditation is a tremendous
appears in the exam.
acknowledgement of the quality and integrity
COMPETENCIES AND of the IAPP’s certification programs, which:
PERFORMANCE INDICATORS • Demonstrates that IAPP credentials meet a
We represent the BoK content as a series of global, industry-recognized benchmark.
competencies and performance indicators. • Ensures IAPP credentials are consistent,
comparable and reliable worldwide.
Competencies are clusters of connected tasks
• Protects the integrity and ensures the validity
and abilities that constitute a broad knowledge
of the IAPP certification program.
domain.
• Promotes to employers, colleagues, clients
Performance indicators are the discrete tasks and and vendors that IAPP-certified professionals
abilities that constitute the broader competence have the necessary knowledge, skills and
group. Exam questions assess a privacy abilities to perform their work anywhere
professional’s proficiency on the performance in the world.
indicators.

Approved by: CIPM EDB Effective date: 2 Sept. 2024

Approved on: 7 Dec. 2023 PAGE 2 OF 11 Version 4.1.0
Supersedes: 4.0.0
 ation Priv
orm ac
nf

yM
I
ed

anag
CIPM
Certifi

er
IAPP CIPM BODY OF KNOWLEDGE

Produce new or original work

Design, assemble, construct, conjecture,
develop, formulate, author, investigate.
CREATE

Justify a stand or decision

Appraise, argue, defend, judge,
select, support, value, critique, weigh. EVALUATE

Draw connection among ideas

Differentiate, organize, relate, compare, contrast,
ANALYZE distinguish, examine, experiment, question, test.
Use information in new situations
Execute, implement, solve, use, demonstrate,
interpret, operate, schedule, sketch. APPLY

Explain ideas or concepts

Classify, describe, discuss, explain, identify,
UNDERSTAND locate, recognize, report, select, translate.
Recall facts and basic concepts
Define, duplicate, list, memorize,
repeat, state. REMEMBER

Examples of Remember/Understand retired Examples of Apply/Analyze retired questions

questions from various designations: from various designations:
• Which of the following is the correct definition • Which of the following poses the greatest
of privacy-enhancing technologies? challenge for a European Union data
• To which type of activity does the Canadian controller in the absence of clearly defined
Charter of Rights and Freedoms apply? contractual provisions?
• Which European Union institution is vested • Which of the following examples would
with the competence to propose data constitute a violation of territorial privacy?
protection legislation? • What is the best way to ensure all
• Who has rulemaking authority for the Fair stakeholders have the same baseline
Credit Reporting Act (FCRA) and the Fair and understanding of the privacy issues facing an
Accurate Credit Transactions Act (FACTA)? organization?
• If the information technology engineers
The answers to these questions are facts and
originally set the default for customer credit
cannot be disputed.
card information to “Do Not Save,” this action
would have been in line with what concept?

The answer to this question will be based upon

factual knowledge and an understanding that
allows for application, analysis and/or evaluation
of the options provided to choose the best answer.

Approved by: CIPM EDB Effective date: 2 Sept. 2024

Approved on: 7 Dec. 2023 PAGE 3 OF 11 Version 4.1.0
Supersedes: 4.0.0
 ation Priv
orm ac
nf

yM
I
ed

anag
CIPM
Certifi

er
IAPP CIPM BODY OF KNOWLEDGE

MIN MAX
Domain I — Privacy Program:
Developing a Framework

Domain I — Privacy Program: Developing a Framework documents the preliminary

tasks required to create a solid foundation for the privacy program, the purposes of the
14 18 program and who is responsible for the program. It focuses on establishing the privacy
program governance model within the context of the organization’s privacy strategy. As
each organization may have its own needs, the model could vary among organizations.

COMPETENCIES PERFORMANCE INDICATORS

Identify the source, types and uses of personal
information (PI) within the organization.

Understand the organization’s business model and

risk appetite.
Define program scope and
4 6 I.A
develop a privacy strategy. Choose applicable governance model.

Define the structure of the privacy team.

Identify stakeholders and internal partners.

Create awareness of the organization’s privacy

program internally and externally.
Communicate
Ensure employees have access to policies and
4 6 I.B organizational vision
procedures and updates relative to their role(s).
and mission statement.
Adopt privacy program vocabulary
(e.g., incident vs breach).

Understand territorial, sectoral and industry

regulations, laws, codes of practice and/or
self-certification mechanisms.

Understand penalties for non-compliance.

Understand scope and authority of

Indicate in-scope laws,
oversight agencies.
5 7 I.C regulations and standards
applicable to the program. Understand privacy implications and territorial scope
when doing business or basing operations in other
countries with differing privacy laws.

Understand the privacy risks posed by the use of AI in

the business environment.

Approved by: CIPM EDB Effective date: 2 Sept. 2024

Approved on: 7 Dec. 2023 PAGE 4 OF 11 Version 4.1.0
Supersedes: 4.0.0
 ation Priv
orm ac
nf

yM
I
ed

anag
CIPM
Certifi

er
IAPP CIPM BODY OF KNOWLEDGE

MIN MAX
Domain II — Privacy Program:
Establishing Program Governance

Domain II — Privacy Program: Establishing Program Governance identifies how the

privacy requirements will be implemented across the organization through all stages
12 16 of the privacy life cycle. The domain focuses on the roles, responsibilities and training
requirements of the various stakeholders, as well as the policies and procedures that
will be followed to ensure continuous compliance.

COMPETENCIES PERFORMANCE INDICATORS

Establish the organizational model, responsibilities,
and reporting structure appropriate to size of
organization.
Define policies appropriate for the data processed by
the organization, taking into account legal and ethical
requirements.
Create policies and
processes to be followed Identify collection points considering transparency
6 8 II.A requirements and data quality issues around
across all stages of the
privacy program life cycle. collection of data.

Create a plan for breach management.

Create a plan for complaint handling procedures.

Create data retention and disposal policies and

procedures.
Define roles and responsibilities of the privacy team
and stakeholders.
Define the roles and responsibilities for managing
the sharing and disclosure of data for internal and
Clarify roles and external use.
1 3 II.B
responsibilities.
Define roles and responsibilities for breach
response by function, including stakeholders and
their accountability to various internal and external
partners (e.g., detection teams, IT, HR, vendors,
regulators, oversight teams).
Create metrics per audience and/or identify intended
audience for metrics with clear processes describing
purpose, value and reporting of metrics.
Understand purposes, types and life cycles of audits
Define privacy metrics for
2 4 II.C in evaluating effectiveness of controls throughout
oversight and governance.
organization’s operations, systems and processes.
Establish monitoring and enforcement systems to
track multiple jurisdictions for changes in privacy law
to ensure continuous alignment.

Approved by: CIPM EDB Effective date: 2 Sept. 2024

Approved on: 7 Dec. 2023 PAGE 5 OF 11 Version 4.1.0
Supersedes: 4.0.0
 ation Priv
orm ac
nf

yM
I
ed

anag
CIPM
Certifi

er
IAPP CIPM BODY OF KNOWLEDGE

Develop targeted employee, management

and contractor trainings at all stages of the
privacy life cycle.
Establish training and
1 3 II.D Create continuous privacy program activities
awareness activities.
(e.g., education and awareness, monitoring internal
compliance, program assurance, including audits,
complaint handling procedures).

Approved by: CIPM EDB Effective date: 2 Sept. 2024

Approved on: 7 Dec. 2023 PAGE 6 OF 11 Version 4.1.0
Supersedes: 4.0.0
 ation Priv
orm ac
nf

yM
I
ed

anag
CIPM
Certifi

er
IAPP CIPM BODY OF KNOWLEDGE

MIN MAX
Domain III — Privacy Program Operational Life Cycle:
Assessing Data

Domain III — Privacy Program Operational Life Cycle: Assessing Data

encompasses how to identify and minimize privacy risks and assess the privacy
12 16 impacts associated with an organization’s systems, processes and products.
Addressing potential problems early will help to establish a more robust privacy
program.

COMPETENCIES PERFORMANCE INDICATORS

Map data inventories, map data flows, map data life
cycle and system integrations.
Document data Measure policy compliance against internal and
3 5 III.A
governance systems. external requirements.
Determine desired state and perform gap analysis
against an accepted standard or law.
Identify and assess risks of outsourcing the
processing of personal data (e.g., contractual
requirements and rules of international data
Evaluate processors and transfers).
1 3 III.B
third-party vendors. Carry out assessments at the most appropriate
functional level within the organization (e.g.,
procurement, internal audit, information security,
physical security, data protection authority).
Identify operational risks of physical locations
(e.g., data centers and offices) and physical controls
Evaluate physical and
0 2 III.C (e.g., document retention and destruction, media
environmental controls.
sanitization and disposal, device forensics and
device security).
Identify operational risks of digital processing
(e.g., servers, storage, infrastructure and cloud).
Review and set limits on use of personal data
(e.g., role-based access).
3 5 III.D Evaluate technical controls. Review and set limits on records retention.
Determine the location of data, including
cross-border data flows.
Collaborate with relevant stakeholders to identify
and evaluate technical controls.

Approved by: CIPM EDB Effective date: 2 Sept. 2024

Approved on: 7 Dec. 2023 PAGE 7 OF 11 Version 4.1.0
Supersedes: 4.0.0
 ation Priv
orm ac
nf

yM
I
ed

anag
CIPM
Certifi

er
IAPP CIPM BODY OF KNOWLEDGE

Complete due diligence procedures.

Evaluate risks associated
with shared data in Evaluate contractual and data sharing obligations,
2 4 III.E
mergers, acquisitions, including laws, regulations and standards.
and divestitures.
Conduct risk and control alignment.

Approved by: CIPM EDB Effective date: 2 Sept. 2024

Approved on: 7 Dec. 2023 PAGE 8 OF 11 Version 4.1.0
Supersedes: 4.0.0
 ation Priv
orm ac
nf

yM
I
ed

anag
CIPM
Certifi

er
IAPP CIPM BODY OF KNOWLEDGE

MIN MAX
Domain IV — Privacy Program Operational Life Cycle:
Protecting Personal Data

Domain IV — Privacy Program Operational Life Cycle: Protecting Personal

Data outlines how to protect data assets during use through the implementation of
9 13 effective privacy and security controls and technology. Regardless of size, geographic
location, or industry, data must be physically and virtually secure at all levels of the
organization.

COMPETENCIES PERFORMANCE INDICATORS

Classify data to the applicable classification scheme
(e.g., public, confidential, restricted).
Understand purposes and limitations of different
controls.
Apply information security
4 6 IV.A Identify risks and implement applicable access
practices and policies.
controls.
Use appropriate technical, administrative and
organizational measures to mitigate any residual
risk.

Integrate the main Integrate privacy throughout the System

1 3 IV.B principles of Privacy by Development Life Cycle (SDLC).
Design (PbD). Integrate privacy throughout business process.

Verify that guidelines for secondary uses of

data are followed.

Verify that the safeguards such as vendor and HR

Apply organizational policies, procedures and contracts are applied.
guidelines for data use and
3 5 IV.C Ensure applicable employee access controls and
ensure technical controls
are enforced. data classifications are in use.
Collaborate with privacy technologists to
enable technical controls for obfuscation,
data minimization, security and other privacy
enhancing technologies.

Approved by: CIPM EDB Effective date: 2 Sept. 2024

Approved on: 7 Dec. 2023 PAGE 9 OF 11 Version 4.1.0
Supersedes: 4.0.0
 ation Priv
orm ac
nf

yM
I
ed

anag
CIPM
Certifi

er
IAPP CIPM BODY OF KNOWLEDGE

MIN MAX
Domain V — Privacy Program Operational Life Cycle:
Sustaining Program Performance

Domain V — Privacy Program Operational Life Cycle: Sustaining Program

Performance details how the privacy program is sustained using pertinent metrics
7 9 and auditing procedures. As an organization moves through the cycles of managing
its privacy program, it is important to ensure all processes and procedures are
functioning effectively and are replicable going forward.

COMPETENCIES PERFORMANCE INDICATORS

Determine appropriate metrics for different
objectives and analyze data collected through
Use metrics to measure metrics (e.g., trending, ROI, business resiliency).
1 3 V.A the performance of the Collect metrics to link training and awareness
privacy program. activities to reductions in privacy events and
continuously improve the privacy program based on
the metrics collected.
Understand the types, purposes, and life cycles
of audits in evaluating effectiveness of controls
throughout organization’s operations, systems and
processes.
Select applicable forms of monitoring based
1 3 V.B Audit the privacy program. upon program goals (e.g., audits, controls,
subcontractors).
Complete compliance monitoring through auditing
of privacy policies, controls and standards, including
against industry standards, regulatory and/or
legislative changes.
Conduct risk assessments on systems, applications,
processes, and activities.
Manage continuous Understand the purpose and life cycle for each
3 5 V.C assessment of the privacy assessment type (e.g., PIA, DPIA, TIA, LIA, PTA).
program.
Implement risk mitigation and communications with
internal and external stakeholders after mergers,
acquisitions, and divestitures.

Approved by: CIPM EDB Effective date: 2 Sept. 2024

Approved on: 7 Dec. 2023 PAGE 10 OF 11 Version 4.1.0
Supersedes: 4.0.0
 ation Priv
orm ac
nf

yM
I
ed

anag
CIPM
Certifi

er
IAPP CIPM BODY OF KNOWLEDGE

MIN MAX
Domain VI — Privacy Program Operational Life Cycle:
Responding to Requests and Incidents

Domain VI — Privacy Program Operational Life Cycle: Responding to Requests

and Incidents documents the activities involved in responding to privacy incidents
10 14 and the rights of data subjects. Based upon the applicable territorial, sectoral and
industry laws and regulations, organizations must ensure proper processes for
information requests, privacy rights and incident responses.

COMPETENCIES PERFORMANCE INDICATORS

Ensure privacy notices and policies are transparent
and clearly articulate data subject rights.
Comply with organization’s privacy policies around
consent (e.g., withdrawals of consent, rectification
Respond to data subject requests, objections to processing, access to data
5 7 VI.A access requests and and complaints).
privacy rights.
Understand and comply with established
international, federal, and state legislations around
data subject’s rights of control over their personal
information (e.g., GDPR, HIPAA, CAN-SPAM, FOIA,
CCPA/CPRA).

Conduct an incident impact assessment.

Perform containment activities.

Identify and implement remediation measures.

Follow organizational
3 5 VI.B incident handling and Communicate to stakeholders in compliance with
response procedures. jurisdictional, global and business requirements.
Engage privacy team to review facts, determine
actions and execute plans.
Maintain an incident register and associated records
of the incident.
Carry out post-incident reviews to improve the
Evaluate and modify effectiveness of the plan.
1 3 VI.C current incident
response plan. Implement changes to reduce the likelihood and/or
impact of future breaches.

Approved by: CIPM EDB Effective date: 2 Sept. 2024

Approved on: 7 Dec. 2023 PAGE 11 OF 11 Version 4.1.0
Supersedes: 4.0.0