Privacy 108 has proudly served as an IAPP educational partner since 2017, with the CIPM being the first IAPP training course we delivered. Privacy 108 founder and exam instructor Dr Jodie Siganto recently recorded a webinar focusing on how to prepare for the IAPP CIPM exam.
We’re pleased to share some of the tips from that Webinar with you here.
Check out our webinar to learn more about the CIPM, or read the complete blog post for a comprehensive overview.
Watch here using the passcode: @3yBkFW4
This guide aims to provide you with essential information, background, context, tips, and valuable resources as you consider undertaking the CIPM exam. It’s understandable if you feel daunted, especially if you dislike failing or haven’t taken an exam in a long time. Worries about remembering everything or potential embarrassment at work if you don’t pass are common. Despite online comments suggesting the CIPM is quite difficult, it should not be that hard if you have the right preparation. Much of the content is common sense, particularly for Australian privacy practitioners already familiar with many core privacy principles. With dedicated reading and ample practice questions, you should succeed. And is it considered an excellent entry-level certification for privacy professionals.
In this Guide, we will explore the exam itself, discuss preparation strategies, identify key resources, and thoroughly review the Body of Knowledge (BoK).
We cannot overstate the importance of the Body of Knowledge; it is your paramount resource. Continuously refer back to it to assess your understanding and ensure comprehensive coverage of all topics.
The CIPM exam assesses your comprehension of how to implement a program that ensures compliance with data privacy regulations from an operational standpoint.
It is not a legal exam and does not test your knowledge of specific laws like US privacy law or Australian privacy principles, which unfortunately receive little mention. The primary objective is to evaluate your understanding of how to establish, maintain, and manage information privacy across an organization throughout the entire privacy program lifecycle. This lifecycle, integrated into the Body of Knowledge, comprises four key steps: Assess, Protect, Sustain, and Respond.
Therefore, the exam is practical, operational, and focused on program implementation.
This exam and its Body of Knowledge are globally applicable, designed for individuals operating in an international context without a particular jurisdictional perspective. When approaching scenario questions, you should imagine yourself as the privacy officer of a multinational organization with offices, subsidiaries, or partners worldwide (not, for example, as a Privacy Manager in an Australian State government agency). If a scenario implies a specific location, such as the EU, it will typically be stated.
This can be challenging for privacy professionals used to operating in a simpler environment where only a single set of privacy principles apply.
The CIPM exam is two and a half hours (150 minutes) long. This can feel like a significant duration, especially if you haven’t taken an exam recently, so you should ensure you are well-rested (e.g., a good breakfast) and take the exam when you are most alert. This might influence your choice of taking it at an exam center or at home, particularly if you find your optimal brain function occurs at unusual hours like midnight.
With 90 questions, this averages to less than two minutes per question. However, some questions will be quickly answered in a matter of seconds. Most individuals report having sufficient time to complete the exam.
The exam is roughly divided into two sections, and you may take a break in the middle. This can be beneficial for a “biology break” or to grab something to eat. Processes for managing breaks may vary by location.
It’s noteworthy that during the exam, especially at a testing center, you may feel heavily surveilled—a peculiar irony for a privacy exam. Strict measures are in place to prevent cheating. Experiences at a center involve thorough checks: verifying nothing is written on your hands, confiscating even an analog watch, and sometimes even asking you to lift your trouser legs to show your socks. All personal possessions are secured in a locker, leaving you with essentially nothing in the room.
Out of the 90 questions, 15 are unscored. These are pilot questions used to test effectiveness, proper wording, and alignment with the intended learning objectives. Therefore, only 75 questions actually contribute to your score. The passing score is 70%, which translates to 300 out of a scaled score of 500, incorporating some form of weighting.
You must demonstrate proficiency across all domains; it is not advisable to neglect any specific area. If you encounter a particularly confusing question, it may well be one of the 15 unscored trial questions. The exam platform also provides an opportunity to offer feedback on questions, though it’s best to reserve this for the end of the exam to avoid wasting precious time.
All questions are multiple-choice, offering four options (A, B, C, or D). “All of the above” or “A or B” type answers are not used. Often, you can easily eliminate two incorrect answers, reducing your choices to two possibilities. When faced with two seemingly plausible options, you should ask yourself which one is “the most right” or “the least wrong”.
Scenario-based questions are a definite component of the exam and can be lengthy and complex. If you are a legal professional, be advised to avoid a full forensic comprehension of the scenario, as extraneous facts are often included and may not be relevant to the questions asked. You should give the scenario a decent read, then review the questions, and revisit the scenario as needed.
The scenario will always be accessible while answering its associated questions. Sometimes, questions can even be answered without a deep understanding of the scenario if the question is answerable outside its specific facts. You should not be perturbed by irrelevant information; it’s part of testing your ability to apply knowledge to a given situation.
If you are unsure of an answer, you can skip the question and mark it for later review. The exam system will group these marked questions, allowing you to return to them after completing the ones you know. This strategy can boost confidence and help manage your time efficiently, preventing you from spending too long on a single difficult question. The system provides multiple prompts before final submission, so you can move back and forth between questions.
You should consider whether you will re-review all your answers before finishing. While your brain might be sharpest at the beginning, a later question could trigger an understanding for an earlier one.
It is strongly encouraged that you register for the exam and secure a date to create a concrete goal for your preparation. It’s common for people to delay after training, so setting a firm date is crucial. While life is busy, obtaining this certification is highly beneficial.
You typically receive an exam voucher if you complete IAPP training through an authorized provider. Be mindful of the voucher’s validity period to avoid losing this significant investment. The voucher is linked to your IAPP membership, and becoming a member offers a better price for the exam. Your exam scheduling is managed through your “My IAPP” account, where the voucher will be applied.
You can reschedule your exam at no cost and seemingly without limit as long as you do so within 48 hours of your scheduled appointment. This is done easily online. One individual found this feature quite useful, having rescheduled their CIPT exam at least twice, which ultimately pushed them to finally take it. However, caution is advised: if you fail to reschedule and do not appear, you will forfeit the exam fee, which is a substantial US$550. While exceptional circumstances might be explained to the IAPP, it’s best to avoid this situation.
The exam is pass/fail, meaning there are no distinctions or special awards – simply passing is the goal. You will receive your result immediately upon submitting the exam. If you do not pass, you will receive a score and a breakdown by domain, which helps identify areas for improvement. If you pass, you may receive your score but typically not a domain breakdown.
A minimum of 30 days must pass before you can retake the exam. This rule prevents candidates from repeatedly sitting the exam to learn the questions. As part of the ethics agreement for certification, you commit not to share actual exam questions. A retake also incurs another fee of US$375, which you ideally want to avoid. You should make every effort to pass on the first attempt.
If you are concerned about passing, maybe don’t tell others that you are sitting for the exam. That way, if you pass, it’s a pleasant surprise, and if you don’t, no one will know.
Important Note: The BoK is scheduled to change for exams taken on or after September 1, 2025. You must confirm you are studying the correct version for your intended exam date. A blog post comparing the current and upcoming BoK versions will be published on Privacy 108’s website. If you completed training recently (as of June 2025), it is highly recommended to take the exam before September 1st to utilize the current BoK.
These are some of the preferred resources, especially the IAPP ones, as they help you adopt the IAPP mindset.
Over the years, non-IAPP authors and publishers have developed textbooks to aid CIPM preparation.
The message remains clear: The Body of Knowledge. The Body of Knowledge. The Body of Knowledge.
The following outlines the six domains of the current CIPM Body of Knowledge, which is valid until August 31, 2025. As previously mentioned, the BoK will be updated for exams taken on or after September 1, 2025, so you must consult the relevant version.
The current Body of Knowledge is structured into six domains:
Domains 1 and 2 focus on establishing the privacy program’s framework and governance. Domains 3, 4, 5, and 6 correspond to the privacy program lifecycle: Assess, Protect, Sustain, and Respond, respectively.
Each of these six domains is further subdivided into more detailed topics. For instance, under Domain 1, topics like “define program scope” and “develop a privacy strategy” will have further specifications in the detailed BoK document. You will know you’re prepared when you can review these high-level domain topics and confidently understand what is expected for each area.
This is a critical section, as it indicates the weighting of questions for each domain.
As you can see, Domains 1, 2, and 3, along with Domain 6, account for a significant portion of the questions. Domains 4 (Protect) and 5 (Sustain) are comparatively less weighted. Domain 5 (Sustain) in particular, with potentially 7 to 9 questions, makes sense given its more limited focus on metrics, auditing, and continuous assessment. When planning your study, you should be aware of these weightings to direct your efforts most effectively.
This concludes the guide. It is hoped that this information proves helpful. Best of luck with your exam preparation, and please share your experience.
Good luck.
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
