CIPM FSG November_2018_v1

Prévia do material em texto

C
IP
M
 C
IP
M
 C
IP
M
 C
IP
M
 C
IP
M
 C
IP
M
 C
IP
M
 
C
IP
M
 C
IP
M
 C
IP
M
 C
IP
M
 C
IP
M
 C
IP
M
 C
IP
M
 
Study Guide
Certified Information 
Privacy Manager (CIPM)
Effective September 2020
© International Association of Privacy Professionals 2020, All Rights Reserved
 CIPM Study Guide 2© International Association of Privacy Professionals 2020, All Rights Reserved
WELCOME
Congratulations on taking the first step toward achieving an IAPP privacy certification. This study guide 
contains the basic information you need to get started:
• An explanation of the IAPP certification program structure
• Key areas of knowledge for the CIPM program
• Recommended steps to help you prepare for your exam
• A detailed body of knowledge for the CIPM program
• An exam blueprint
• Example questions
• General exam information 
 CIPM Study Guide 3© International Association of Privacy Professionals 2020, All Rights Reserved
The IAPP Certification Program Structure
The IAPP currently offers three certification programs: The Certified Information Privacy Professional 
(CIPP), the Certified Information Privacy Manager (CIPM) and the Certified Information Privacy 
Technologist (CIPT).
The CIPP is the “what” of privacy. Earning this designation demonstrates your mastery of a 
principles-based framework in information privacy in a legal or practical specialization. Within the CIPP, 
there are four concentrations:
• Asian privacy (CIPP/A)
• Canadian privacy (CIPP/C)
• European privacy (CIPP/E)
• U.S. private-sector privacy (CIPP/US)
The CIPM is the “how” of privacy (operations). Earning this designation shows you understand how to 
manage privacy in an organization through process and technology. 
The CIPT is the “how” of privacy (technology). Earning this designation shows you know how to 
manage and build privacy requirements and controls into technology. 
There are no concentrations within the CIPM or the CIPT—they are global designations that cross all 
jurisdictions and industries.
Requirements for IAPP Certification
1. You must pay a certification maintenance fee of $250 for two years
OR
2. You can become a member of the IAPP—with access to numerous benefits like discounts, 
networking opportunities, members-only resources and more—for just $275 USD annually, which 
includes your maintenance fee.
More information about IAPP membership, including levels, benefits and rates, is available on the IAPP 
website at iapp.org/join.
 CIPM Study Guide 4© International Association of Privacy Professionals 2020, All Rights Reserved
CIPM Key Areas of Knowledge
The CIPM program was developed in response to overwhelming demand to collate common practices 
for managing privacy operations. It covers program governance and the skills to establish, maintain and 
manage a privacy program across all stages of its operational lifecycle. 
The two major CIPM program components are:
I. Privacy Program Governance
• Creating a company vision
• Establishing a privacy program
• Structuring the privacy team 
• Developing and implementing a privacy program framework
• Communicating to stakeholders
• Performance measurement
II. Privacy Operational Lifecycle
• Assessing or analyzing an organization’s privacy regime
• Protecting information assets through the implementation of industry-leading privacy 
and security controls and technology
• Sustaining the privacy program through communication, training and management actions
• Responding to privacy incidents
 CIPM Study Guide 5© International Association of Privacy Professionals 2020, All Rights Reserved
Preparation
Privacy certification is an important effort that requires advance preparation. Deciding how you will 
prepare for your exams is a personal choice that should include an assessment of your professional 
background, scope of privacy knowledge and your preferred method of learning. 
In general, the IAPP recommends that you plan for a minimum of 30 hours of study time in advance of 
your exam date; however, you might need more or fewer hours depending on your personal choices and 
professional experience.
The IAPP recommends you prepare in the following manner:
1. Review the Body of Knowledge 
The body of knowledge for the CIPM program is a comprehensive outline of the subject matter areas 
covered by the CIPM exam. Review it carefully to help determine which areas merit additional focus in 
your preparation. See pages 6-11.
2. Review the Exam Blueprint
The CIPM exam blueprint on page 12 specifies the number of items from each area of the body of 
knowledge that will appear on the exam. Studying the blueprint can help you further target your 
primary study needs.
3. Study the CIPM Textbook
Privacy Program Management: Tools for Managing Privacy Within Your Organization is the authoritative 
reference for the CIPM program. The IAPP strongly recommends you take the time to carefully read 
and study the textbook. The electronic version of the official CIPM textbook is included free with the 
purchase of CIPM online or live online training. The print version is included free with the purchase of 
CIPM in-person training classes.
4. Get Certification Training 
The IAPP offers in-person certification prep classes, live online and online training to help you prepare 
for your exams. You can find a list of scheduled classes and/or purchase downloadable online training in 
the IAPP store. 
5. Take the CIPM Sample Questions
Sample questions are a great way to gain familiarity with the format and content of the actual 
designation exams. They are available for purchase in a downloadable PDF file containing the questions, 
an answer key and an explanation of each correct answer. Sample questions are included free with the 
purchase of CIPM online, live online and in-person training classes.
6. Review other IAPP Preparation Resources
Additional resources are available on the IAPP website, including a searchable glossary of terms.
 CIPM Study Guide 6© International Association of Privacy Professionals 2020, All Rights Reserved
CIPM Common Body of Knowledge Outline
I. Developing a Privacy Program
A. Create a company vision
a. Acquire knowledge on privacy approaches
b. Evaluate the intended objective
c. Gain executive sponsor approval for this vision
B. Establish Data Governance model
a. Centralized
b. Distributed
c. Hybrid
C. Establish a privacy program
a. Define program scope and charter
b. Identify the source, types, and uses of personal information (PI) within the organization and 
the applicable laws
c. Develop a privacy strategy
i. Business alignment
1. Finalize the operational business case for privacy
2. Identify stakeholders
3. Leverage key functions
4. Create a process for interfacing within the organization
5. Align organizational culture and privacy/data protection objectives
ii. Obtain funding/budget for privacy and the privacy team
iii. Develop a data governance strategy for personal information (collection, 
authorized use, access, destruction)
iv. Plan inquiry/complaint handling procedures (customers, regulators, etc.)
v. Ensure program flexibility in order to incorporate legislative/regulatory/market/business 
requirements 
D. Structure the privacy team 
a. Establish the organizational model, responsibilities and reporting 
structure appropriate to the size of the organization 
i. Large organizations 
1. Chief privacy officer 
2. Privacy manager 
3. Privacy analysts 
4. Business line privacy leaders 
5. “First responders” 
ii. Small organizations/sole data protection officer (DPO), including when not only job 
b. Designate a point of contact for privacy issues 
c. Establish/endorse the measurement of professional competency 
E. Communicate 
a. Awareness
i. Create awareness of the organization’s privacy program internally and externally
ii. Develop internal and external communication plans to ingrain organizational accountability
iii. Identify, catalogand maintain documents requiring updates as privacy requirements change
 CIPM Study Guide 7© International Association of Privacy Professionals 2020, All Rights Reserved
II. Privacy Program Framework
A. Develop the Privacy Program Framework 
a. Develop organizational privacy policies, standards and/or guidelines
b. Define privacy program activities
i. Education and awareness
ii. Monitoring and responding to the regulatory environment
iii. Internal policy compliance
iv. Data inventories, data flows and classification
v. Risk assessment (Privacy Impact Assessments [PIAs]) (e.g., DPIAs, etc.)
vi. Incident response and process, including jurisdictional regulations
vii. Remediation
viii. Program assurance, including audits
B. Implement the Privacy Policy Framework
a. Communicate the framework to internal and external stakeholders 
b. Ensure continuous alignment to applicable laws and regulations to support the development 
of an organizational privacy program framework
i. Understand when national laws and regulations apply (e.g. GDPR)
ii. Understand when local laws and regulations apply (e.g. CCPA)
iii. Understand penalties for noncompliance with laws and regulations
iv. Understand the scope and authority of oversight agencies (e.g., Data Protection 
Authorities, Privacy Commissioners, Federal Trade Commission, etc.)
v. Understand privacy implications of doing business with or basing operations in countries 
with inadequate, or without, privacy laws
vi. Maintain the ability to manage a global privacy function
vii. Maintain the ability to track multiple jurisdictions for changes in privacy law
viii. Understand international data sharing arrangements agreements
C. Develop Appropriate Metrics
a. Identify intended audience for metrics
b. Define reporting resources
c. Define privacy metrics for oversight and governance per audience
i. Compliance metrics (examples, will vary by organization)
1. Collection (notice)
2. Responses to data subject inquiries
3. Use
4. Retention
5. Disclosure to third parties
6. Incidents (breaches, complaints, inquiries)
7. Employees trained
8. PIA metrics
9. Privacy risk indicators
10. Percent of company functions represented by governance mechanisms
ii. Trending 
iii. Privacy program return on investment (ROI) 
iv. Business resiliency metrics 
v. Privacy program maturity level 
vi. Resource utilization 
d. Identify systems/application collection points 
 CIPM Study Guide 8© International Association of Privacy Professionals 2020, All Rights Reserved
III. Privacy Operational Life Cycle: Assess 
A. Document current baseline of your privacy program
a. Education and awareness 
b. Monitoring and responding to the regulatory environment 
c. Internal policy compliance 
d. Data, systems and process assessment 
i. Map data inventories, flows and classification 
ii. Create “record of authority” of systems processing personal information 
within the organization 
1. Map and document data flow in systems and applications 
2. Analyze and classify types and uses of data 
e. Risk assessment (PIAs, etc.) 
f. Incident response 
g. Remediation 
h. Determine desired state and perform gap analysis against an accepted standard or law 
(including GDPR) 
i. Program assurance, including audits
B. Processors and third-party vendor assessment
a. Evaluate processors and third-party vendors, insourcing and outsourcing privacy risks, 
including rules of international data transfer 
i. Privacy and information security policies 
ii. Access controls 
iii. Where personal information is being held 
iv. Who has access to personal information 
b. Understand and leverage the different types of relationships 
i. Internal audit 
ii. Information security 
iii. Physical security 
iv. Data protection authority 
c. Risk assessment 
i. Type of data being outsourced 
ii. Location of data 
iii. Implications of cloud computing strategies 
iv. Legal compliance 
v. Records retention 
vi. Contractual requirements (incident response, etc.) 
vii. Establish minimum standards for safeguarding information 
d. Contractual requirements 
e. Ongoing monitoring and auditing 
C. Physical assessments 
a. Identify operational risk 
i. Data centers and offices 
ii. Physical access controls 
iii. Document destruction 
iv. Media sanitization and disposal (e.g., hard drives, USB/thumb drives, etc.) 
v. Device forensics
vi. Device security (e.g., mobile devices, Internet of Things (IoT), geo-tracking, 
imaging/copier hard drive security controls) 
 CIPM Study Guide 9© International Association of Privacy Professionals 2020, All Rights Reserved
D. Mergers, acquisitions and divestitures 
a. Due diligence 
b. Risk assessment 
E. Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) 
a. Privacy Threshold Analysis (PTAs) on systems, applications and processes
b. Privacy Impact Assessments (PIAs)
i. Define a process for conducting Privacy Impact Assessments
1. Understand the life cycle of a PIA
2. Incorporate PIA into system, process, product life cycles
IV. Privacy Operational Life Cycle: Protect
A. Information security practices 
a. Access controls for physical and virtual systems 
i. Access control on need to know 
ii. Account management (e.g., provision process) 
iii. Privilege management 
b. Technical security controls 
c. Implement appropriate administrative safeguards 
B. Privacy by Design 
a. Integrate privacy throughout the system development life cycle (SDLC) 
b. Establish privacy gates as part of the system development framework
C. Integrate privacy requirements and representation into functional areas across the organization 
i. Information security
ii. IT operations and development
iii. Business continuity and disaster recovery planning
iv. Mergers, acquisitions and divestitures
v. Human resources
vi. Compliance and ethics
vii. Audit
viii. Marketing/business development
ix. Public relations
x. Procurement/sourcing
xi. Legal and contracts
xii. Security/emergency services
xiii. Finance
xiv. Others
D. Other Organizational Measures
a. Quantify the costs of technical controls
b. Manage data retention with respect to the organization’s policies
c. Define the methods for physical and electronic data destruction
d. Define roles and responsibilities for managing the sharing and disclosure of data for internal 
and external use
 CIPM Study Guide 10© International Association of Privacy Professionals 2020, All Rights Reserved
V. Privacy Operational Life Cycle: Sustain
A. Monitor
a. Environment (e.g., systems, applications) monitoring
b. Monitor compliance with established privacy policies
c. Monitor regulatory and legislative changes
d. Compliance monitoring (e.g. collection, use and retention)
i. Internal audit
ii. Self-regulation
iii. Retention strategy
iv. Exit strategy
B. Audit
a. Align privacy operations to an internal and external compliance audit program
i. Knowledge of audit processes
ii. Align to industry standards
b. Audit compliance with privacy policies and standards
c. Audit data integrity and quality and communicate audit findings with stakeholders
d. Audit information access, modification and disclosure accounting
e. Targeted employee, management and contractor training
i. Privacy policies
ii. Operational privacy practices (e.g., standard operating instructions), such as
1. Data creation/usage/retention/disposal
2. Access control
3. Reporting incidents
4. Key contacts
VI. Privacy Operational Life Cycle: Respond
A. Data-subject information requests and privacy rights
a. Access
b. Redress
c. Correction
d. Managing data integrity
B. Privacy incident response
a. Legal compliance
i. Preventing harm
ii. Collection limitations
iii. Accountability
iv. Monitoring and enforcement
b. Incident response planning
i. Understand key roles and responsibilities
1. Identify key business stakeholders
1. Information security
2. Legal
3. Audit
4. Human resources
5. Marketing
6. Business development
7. Communications and public relations8. Other
2. Establish incident oversight teams
3. Develop a privacy incident response plan
 CIPM Study Guide 11© International Association of Privacy Professionals 2020, All Rights Reserved
4. Identify elements of the privacy incident response plan
5. Integrate privacy incident response into business continuity planning
c. Incident detection
i. Define what constitutes a privacy incident
ii. Identify reporting process
iii. Coordinate detection capabilities
1. Organization IT
2. Physical security
3. Human resources
4. Investigation teams
5. Vendors
d. Incident handling
i. Understand key roles and responsibilities
ii. Develop a communications plan to notify executive management
e. Follow incident response process to ensure meeting jurisdictional, global and business 
requirements
1. Engage privacy team
2. Review the facts
3. Conduct analysis
4. Determine actions (contain, communicate, etc.)
5. Execute
6. Monitor
7. Review and apply lessons learned
f. Identify incident reduction techniques
g. Incident metrics—quantify the cost of a privacy incident
 
 CIPM Study Guide 12© International Association of Privacy Professionals 2020, All Rights Reserved
CIPM Exam Format
The CIPM is an 2.5 hour exam comprised of 90 multiple choice items (questions). Approximately half 
of the multiple choice items are associated with scenarios. There are no essay questions. Each correct 
answer is worth one point.
Exam Blueprint 
The exam blueprint indicates the minimum and maximum number of items included on the CIPM 
exam from the major areas of the body of knowledge. Questions may be asked from any of the topics 
listed under each area. You can use this blueprint to guide your preparation. 
I. Developing a Privacy Program
A. Create a company vision
B. Establish a Data Governance model
C. Establish a privacy program
D. Structure the privacy team
E. Communicate
II. Privacy Program Framework
A. Develop the Privacy Program Framework
B. Implement the Privacy Program Framework
C. Develop Appropriate Metrics
III. Privacy Operational Lifecycle: Assess
A. Document current baseline of your privacy program
B. Processors and third-party vendor assessment
C. Physical Assessments
D. Mergers, acquisitions, and divestitures
E. Privacy Impact Assessments and Data Protection Impact Assessments
IV. Privacy Operational Lifecycle: Protect
A. Information security practices
B. Privacy by Design
C. Integrate privacy requirements and representation into 
functional areas across the organization
D. Other Organizational Measures
V. Privacy Operational Lifecycle: Sustain
A. Monitor
B. Audit
VI. Privacy Operational Lifecycle: Respond
A. Data-subject information requests and privacy rights
B. Privacy incident response
Min Max
13 17
1 3
1 3
3 5
1 3
4 6
9 11
3 5
2 4
2 4
13 17
1 3
3 5
1 3
1 3
4 6
12 16
4 6
2 4
2 4
2 4
5 7
2 4
2 4
9 11
5 7
3 5
 CIPM Study Guide 13© International Association of Privacy Professionals 2020, All Rights Reserved
Example Questions 
 
1. Which descriptor best describes the general attitude an organization should exhibit regarding its practices 
and policies for data protection?
A. Security
B. Openness
C. Secrecy
D. Education
2. Where should procedures for resolving complaints about privacy protection be found?
A. In written policies regarding privacy
B. In the Emergency Response Plan
C. In memoranda from the CEO
D. In the minutes of corporate or organizational board meetings
Sample Scenario
John is the Data Protection Officer for a fashion retailer based in Europe. He has recently trained the staff on 
the concept of Privacy by Design. Staff now know to seek his advice early in the planning of any new initiatives 
that involve the collection of personal data. 
John has been asked to provide advice on a proposal for a new online business for enthusiasts of designer 
fashion, called “Designers You Love.” This will be a web-based service through which subscribers can access 
insider news on their favorite designers, receive discounts on clothing, have the opportunity to meet designers 
at fashion shows and be able to book tickets and enter competitions.
In order to sign up for “Designers You Love,” individuals must complete an online form. The data being 
collected includes the mandatory provision of name, email address, payment card information, favorite designers, 
clothing size, and annual clothing expenditures. After reviewing the form, John grows concerned that the 
company might be collecting excessive information.
The business intends to use this data for the following purposes:
• To provide subscribers with access to information on the site
• To collect payment and manage subscriptions
• To analyse subscriber use of the site (using browsing history, subscription information and cookies)
• To perform profiling for the purpose of sending relevant offers to customers
The website and the associated database of subscribers will be hosted by a U.S. technology company called 
HostPro Ltd. Its servers are located in the U.S., but it wishes to use subcontractors who have their own 
servers. The company intends to use a payment card processor they already have a relationship with to manage 
subscription payments.
Continued on next page
 CIPM Study Guide 14© International Association of Privacy Professionals 2020, All Rights Reserved
1. How might John first explore his concerns regarding excessive data collection?
A. Perform a third-party audit. 
B. Monitor complaints from subscribers. 
C. Ask the data protection supervisory authority for guidance. 
D. Ask the business sponsor for the rationale for each data field collected. 
2. What vendor management process should John invoke first?
A. Conduct a security walkthrough of vendor work sites. 
B. Assess the vendors' ability to protect personal data. 
C. Require ongoing monitoring of the vendors' processes. 
D. Review the supplier contract and weigh against vendor performance.
 CIPM Study Guide 15© International Association of Privacy Professionals 2020, All Rights Reserved
General Exam Information
The IAPP offers testing via computer-based delivery at over 6,000 testing centers worldwide. Or take 
your certification exam from home with online proctoring.
You can find detailed information about how to register for exams, as well as exam-day instructions in 
the IAPP Certification Information Candidate Handbook, on our website at iapp.org/certify.
Questions?
The IAPP recognizes that privacy certification is an important professional development effort requiring 
commitment and preparation. We thank you for choosing to pursue certification, and we welcome your 
questions and comments regarding our certification program. 
Please don’t hesitate to contact us.
https://iapp.org/about/contact/
 CIPM Study Guide 16© International Association of Privacy Professionals 2020, All Rights Reserved
Example Questions: Answers
 
1. Which descriptor best describes the general attitude an organization should exhibit regarding its 
practices and policies for data protection?
A. Security
B. Openness
C. Secrecy
D. Education
2. Where should procedures for resolving complaints about privacy protection be found?
A. In written policies regarding privacy
B. In the Emergency Response Plan
C. In memoranda from the CEO
D. In the minutes of corporate or organizational board meetings
Sample Scenario
Johnis the Data Protection Officer for a fashion retailer based in Europe. He has recently trained the 
staff on the concept of Privacy by Design. Staff now know to seek his advice early in the planning of any 
new initiatives that involve the collection of personal data. 
John has been asked to provide advice on a proposal for a new online business for enthusiasts of designer 
fashion, called “Designers You Love.” This will be a web-based service through which subscribers can 
access insider news on their favorite designers, receive discounts on clothing, have the opportunity to 
meet designers at fashion shows and be able to book tickets and enter competitions.
In order to sign up for “Designers You Love,” individuals must complete an online form. The data 
being collected includes the mandatory provision of name, email address, payment card information, 
favorite designers, clothing size, and annual clothing expenditures. After reviewing the form, John grows 
concerned that the company might be collecting excessive information.
The business intends to use this data for the following purposes:
• To provide subscribers with access to information on the site
• To collect payment and manage subscriptions
• To analyse subscriber use of the site (using browsing history, subscription information and 
cookies)
• To perform profiling for the purpose of sending relevant offers to customers
The website and the associated database of subscribers will be hosted by a U.S. technology company 
called HostPro Ltd. Its servers are located in the U.S., but it wishes to use subcontractors who have their 
own servers. The company intends to use a payment card processor they already have a relationship with 
to manage subscription payments.
Continued on next page
 CIPM Study Guide 17© International Association of Privacy Professionals 2020, All Rights Reserved
Example Exam Questions: Answers
 
1. How might John first explore his concerns regarding excessive data collection?
A. Perform a third-party audit. 
B. Monitor complaints from subscribers. 
C. Ask the data protection supervisory authority for guidance. 
D. Ask the business sponsor for the rationale for each data field collected. 
2. What vendor management process should John invoke first?
A. Conduct a security walkthrough of vendor work sites. 
B. Assess the vendors' ability to protect personal data. 
C. Require ongoing monitoring of the vendors' processes. 
D. Review the supplier contract and weigh against vendor performance.