How I got the certification CIPM - Certified Information Privacy Manager
A hot topic right now, privacy is a theme that is getting more and more importance. New laws and regulations, recurrent personal data breaches, fines, and other sanctions; all of this results in increased attention from mainstream media and the general public. Still and all, data protection is far from being a new topic. We, information security professionals, had the mission to protect data longer before any privacy legislation. Despite all recent progress of data protection technology and regulations, much hasn’t changed. For instance, you can’t be successful with data protection (or information security, or privacy, or cybersecurity, and so forth) without the definition of a program align with business objectives, measurable, and continually improved. So that is where the CIPM - Certified Information Privacy Manager certification program holds its value.
The largest and most comprehensive global information privacy community
The CIPM is promoted by the IAPP - International Association of Privacy Professionals, a not-for-profit association, recognized by many and self-proclaimed the largest and most comprehensive global information privacy community. Beyond the CIPM, the IAPP also promotes other highly regarded certification programs, such as the CIPP - Certified Information Privacy Professional (with its concentrations), and the CIPT - Certified Information Privacy Technologist.
The “how” of privacy operations and program management
According to the IAPP, the CIPM is the world’s first and only certification in privacy program management, and it shows that you don’t just know privacy regulations, but you know how to make it work for your organization; establishing, maintaining and managing a privacy management program through all of the phases of its lifecycle. The main concepts and topics covered by the program are:
- How to create a company vision
- How to structure the privacy team
- How to develop and implement a privacy program framework
- How to communicate to stakeholders
- How to measure performance
- The privacy program operational lifecycle The CIPM certification is comprised of two domains:
- Privacy Program Governance (I)
- Privacy Program Operational Life Cycle (II) Those who are familiar with information security management certification programs, for instance, CISSP (especially domains 1 and 2), CISSP-ISSMP and CISM, will find themselves with a solid background to understand the CIPM body of knowledge. By the end of the day it is all about the development, establishment, management, and operation of a data protection program, although it is crucial to understand privacy concepts and requirements, and how they differ from security concepts (even if, like me, you don’t always agree with the definitions and distinctions provided by the IAPP resources or other privacy study materials, but this is a subject for another text).
Like I stated earlier, the preparation for the other information security management certifications, and of course, my professional experience, gave me a solid base to understand the CIPM body of knowledge content.
Material and study process
The IAPP offers courses and training in different formats to help the candidates prepare for their exams, but like with the other certifications that I hold, I decided to do it on my own. I bought the CIPM textbook, named Privacy Program Management, available both in physical and digital formats at the IAPP Store. I read the book cover to cover, doing some highlights and notes, although I skimmed some chapters that I find kind of superficial for data protection and information security experienced professionals, which is perfectly understandable, given that the program is aimed at privacy professionals that not always have relevant information security experience. The next steps were reviewing all my highlights and notes, drawing mind maps which help me a lot to organize better my content and study the most important topics. I also acquired sample questions available at the IAPP Store. It is a 22-question PDF file containing sample questions similar in format and content to the CIPM exam, as well as an explanation of each correct answer. I answered the questions in about 25 minutes, with 18 correct answers and 4 errors. Then I reviewed the questions that I missed and felt that that was it, my preparation was over, and I felt prepared for the exam.
I arrived at the testing center some minutes earlier the scheduled time, confirmed my ID and sign the acknowledgment that I would be monitored by video during the exam. After storing my stuff in the provided locker, I started the exam which would take me 120 minutes, to answer 90 multiple choice questions, with 4 alternatives each, being possible to browse all questions and flag them for later revision.
My thoughts on the exam
Certainly the exam with the most complex use of English that I have done, which can be an additional challenge for someone that is not a native English speaker, myself included. More on textual presentation, a lot of questions are scenario based, these scenarios are described in 3 or 4 paragraphs, after the second scenario I realized that read all the scenario descriptions can be an unnecessary waste of time, given that much if the information wasn’t essential to answer the questions correctly. From that point, I read the questions first and then, when needed, the scenario, quickly and looking specifically to the information that I needed. It wasn’t the most challenging exam that I’ve ever done, but a lot of questions have more than one possible (or correct) answer. The most appropriate alternative should be selected, this made me flag for revision a lot of questions, following my habitual process for exams like that: read the questions and alternatives once, if I’m certain, quickly read once again (or not) and then select the answer and move ahead; when I’m not certain, pick which I find the most probable alternative, flag for later revision and move to the next question. This process might’ve made me flag more questions than needed, 44 total (yeah, almost half of the questions). After I answered all 90 questions, I had approximately 40 minutes to review the flagged questions, from that point forward removing the flag from the questions that I had more confidence in the previously selected answer, and keeping the flag from the ones that I kept in doubt; changed only a few of answers. For the third iteration, with less than 10 minutes and 11 questions left, changed 1 answer and finally submitted the exam, less than 3 minutes to the end of the time. Then it was just waiting for the result.
Better results than expected
By the end of the exam, I got the results on the screen by domain:
- Privacy Program Governance (I): 95%
- Privacy Program Operational Life Cycle (II): 80% Even though I was confident, it is always a relief after submitting an exam to get the PASS. As soon as I get my mobile from the locker, I received an email with the exam results and congratulations message, way different from other certifications that the confirmation can take weeks to be sent. What took a few days to arrive at my mailbox was the IAPP mail through Accredible, the online credentials partner of the IAPP, with the certificate in digital format: It is also possible to access and verify the credential through Accredible.
The most important: What I learned
I’m more and more convinced of the convergence between privacy and information security management, by the end of the day, in general terms, the objectives are the same: protect data in order to manage risks and enable businesses. Even though the CIPM content sometimes tries to distinguish the two disciplines more than I think appropriate. In general, I did not learn a lot of new stuff, which was by itself a relevant lesson for me: if you are able to establish and manage an information security program, you might as well be able to establish and manage a privacy program.