top of page

CIPM Body of Knowledge (2024-2025)

If your role involves implementing privacy practices or if you’re looking to break into the fast-growing privacy and data protection field, you’ve likely considered becoming a Certified Information Privacy Manager (CIPM). To do that, you'll need to pass the CIPM exam, administered by the International Association of Privacy Professionals (IAPP).

ree

Before diving into your studies, your first stop should be the CIPM Body of Knowledge (BoK). This document outlines the key concepts and topics you'll encounter on the exam and serves as your roadmap to certification.


When Do the 2024–2025 Changes Take Effect?


To avoid surprising test-takers, the IAPP releases BoK updates well in advance of when new content appears on exams. The 2024–2025 updates to the CIPM BoK will go into effect on September 2, 2024, giving candidates enough time to adjust their study plans.


A Short Recap on The CIPM’s Structure


Last year, the IAPP introduced a major overhaul to the CIPM BoK format. Instead of the traditional outline style, the BoK was restructured into high-level “competencies” paired with “performance indicators”—a format that also incorporates the Exam Blueprint.


What are Competencies all about? They are broad clusters of related tasks and knowledge areas.


What are Performance Indicators? Break those down into the specific tasks and abilities expected of certified professionals.


Last year’s updated structure is now the standard and continues unchanged this year.


Did the Domains Change?


No changes here. The six domains introduced last year remain intact:


  1. Privacy Program: Developing a Framework

    I.A Define program scope and develop a privacy strategy.

    I.B Communicate organizational vision and mission statement.

    I.C Indicate in-scope laws, regulations and standards applicable to the program.


  2. Privacy Program: Establishing Program Governance

    II.A Create policies and processes to be followed across all stages of the privacy program life cycle.

    II.B Clarify roles and responsibilities.

    II.C Define privacy metrics for oversight and governance.

    II.D Establish training and awareness activities.


  3. Privacy Operational Life Cycle: Assessing Data

    III.A Document data governance systems.

    III.B Evaluate processors and third-party vendors.

    III.C Evaluate physical and environmental controls.

    III.D Evaluate technical controls.

    III.E Evaluate risks associated with shared data in mergers, acquisitions, and divestitures.


  4. Privacy Operational Life Cycle: Protecting Personal Data

    IV.A Apply information security practices and policies.

    IV.B Integrate the main principles of Privacy by Design (PbD).

    IV.C Apply organizational guidelines for data use and ensure technical controls are enforced.


  5. Privacy Operational Life Cycle: Sustaining Program Performance

    V.A Use metrics to measure the performance of the privacy program.

    V.B Audit the privacy program.

    V.C Manage continuous assessment of the privacy program.


  6. Privacy Operational Life Cycle: Responding to Requests and Incidents

    VI.A Respond to data subject access requests and privacy rights.

    VI.B Follow organizational incident handling and response procedures.

    VI.C Evaluate and modify current incident response plan.


This consistency helps returning candidates and training providers maintain alignment with the exam structure.


Have the Number of Questions per Topic Changed?


No. The exam blueprint, which outlines how many questions appear per domain or competency, remains the same as last year.


What New Content Was Added?


While this year’s updates are modest, there are five new performance indicators added across three domains. However, no relevant new competencies were added. New performance indicators include:

  • Competency I.A – Performance Indicator: “Understand the organization’s business strategy and risk appetite”

  • Competency I.C – Performance Indicator: “Understand the privacy risks posed by the use of AI in the business environment”

  • Competency II.A – Performance Indicator: “Create data retention and disposal policies and procedures”

  • Competency II.B – Performance Indicator: “Define roles and responsibilities of privacy team and stakeholders”

  • Competency III.D – Performance Indicator: “Collaborate with relevant stakeholders to identify and evaluate technical controls”


In addition, performance indicators under Competencies I.A and II.B were re-ordered. Some existing indicators were also reworded for clarity. For instance, “Structure the privacy team” under Competency I.A was revised to “Define the structure of the privacy team.” The IAPP notes that these types of edits are not substantive.


Were Any Topics Removed?


Yes, one performance indicator was removed this year. The topic removed was under Competency V.C, the indicator about managing ethical AI use (ensuring fairness, bias mitigation, data minimization, and compliance) was deleted.


While the IAPP didn’t explain this change, it’s likely related to the launch of its Artificial Intelligence Governance Professional (AIGP) certification, which focuses more comprehensively on AI-related governance and compliance.


Other than that, no major deletions were made. However, it’s worth noting that the competency-based structure is more concise than the previous outline-style BoK. While no significant subtopics seem to have disappeared, the new format doesn’t spell out details as explicitly, so it’s possible that some granular guidance has been streamlined.


In Summary


  • The 2024–2025 CIPM BoK takes effect September 2, 2024

  • Format remains unchanged, using competencies and performance indicators

  • No new domains were added

  • Five new performance indicators were introduced

  • One AI-related indicator was removed, likely due to overlap with the new AIGP certification

  • All other changes are minor and mostly editorial




Comments

bottom of page