IAPP Certified Information
Privacy Manager

Book Now

Become a leader in privacy programme management with this
advanced data protection (CIPM) certificate from the IAPP


The Certified Information Privacy Manager (CIPM) is the first and only qualification in privacy programme management. Developed by the International Association of Privacy Professionals (IAPP) in 2013, the CIPM is the perfect companion to both the IAPP CIPP/E and BCS Practitioner Certificate in Data Protection. Holders of the award develop an understanding of the capabilities required to implement, maintain and manage a privacy programme through every stage of its lifecycle. By obtaining the CIPP/E certification, practitioners can significantly improve their career prospects and lifetime earnings. Award holders will join an elite group of highly decorated, globally recognised data protection professionals.


Official IAPP
CIPM textbooks

online sessions


CIPM exam


1st year
IAPP membership


Code Course Start Duration Location Booking
CIPM IAPP Certified Information Privacy Manager 02 Apr 24 4 X 4hr Sessions Online Book now
24 Jun 24 4 X 4hr Sessions Online Book now

IAPP Certified Information Privacy Manager (CIPM)

Starts: 02 Apr 24

Duration: 4 X 4hr Sessions

Location: Online

Book now

IAPP Certified Information Privacy Manager (CIPM)

Starts: 24 Jun 24

Duration: 4 X 4hr Sessions

Location: Online

Book now

CIPM Course Contents

The IAPP Certified Information Privacy Manager (CIPM) is an essential professional qualification for industry practitioners already trained in data protection law. Unlike legal-based data protection training courses, the CIPM covers the practical implementation and management of privacy operations, making it an ideal qualification for data protection officers (DPOs) and other senior compliance professionals tasked with developing an organisation-wide culture of privacy and data protection compliance.

The CIPM syllabus (body of knowledge) consists of six distinct domains and requires attendees to evaluate privacy management throughout the operational lifecycle: 

  • Domain 1 - Developing a privacy programme framework: Addresses how to implement a privacy framework that defines the programme's scope and aligns it with the organisation's objectives. Delegates will also learn how to communicate the organisation's vision to ensure that everyone involved works towards maintaining the highest standards of privacy and security.
  • Domain 2 - Establishing privacy programme governance: Focuses on the need to create clear policies and processes, define roles and responsibilities, conduct training and awareness campaigns, and set up privacy metrics in order to monitor progress and ensure accountability across multiple jurisdictions.
  • Domain 3 - Assessing Data: Deals with the operational lifecycle of data governance, including how to conduct data flow mapping and systems integrations. Delegates will learn about evaluating the risks associated with sharing or transferring data across borders with processors and third-party vendors, as well as how to assess physical, environmental and technical controls to ensure that data is handled in a secure and responsible manner.
  • Domain 4 - Protecting Personal Data: Addresses how to apply information security best practices, policies, controls and measures in order to mitigate risk. Attendees will also learn about integrating the principles of Privacy by Design and how to collaborate with technical teams around data minimisation and implementation of privacy-enhancing technologies (PETs).
  • Domain 5 - Sustaining Programme Performance: Examines the need for metrics to measure privacy programme performance, maturity and the reduction in privacy events compared with cultural awareness initiatives and other business indicators. Attendees will discover why and how to maintain ongoing compliance through regular audits and continuous assessments, including Data Protection Impact Assessments (DPIAs), Transfer Impact Assessments (TIAs), and Legitimate Interest Assessments (LIAs) in order to identify gaps or deficiencies in the privacy programme and take corrective measures to address them. 
  • Domain 6 - Responding to Requests and Incidents: Considers the importance of transparency and accountability in upholding information rights, along with the need to implement robust security incident response handling procedures.

To successfully implement a privacy programme, it is important to have the right skills. CIPM holders have the ability to interpret data protection laws and create policies and procedures that organisations can use to establish practical and effective practices.

This CIPM course is delivered online for convenience and for the significant environmental and sustainability benefits it offers. Delegates can gain a recognised practitioner-level workplace qualification at home or from their desk by attending four consecutive 4-hour live online sessions across one week. This accredited IAPP course prepares participants for the 150-minute multiple-choice IAPP Exam.

Piccaso Privacy Awards

Why choose Freevacy for your CIPM training

For the second year running, Freevacy has been shortlisted in the Best Educator category at the PICCASO Privacy Awards. The awards were established to recognise the people making an outstanding contribution to this dynamic and fast-growing sector. The Best Educator award will go to a professor, lecturer, teacher, or training provider who leads by example to inspire and motivate the next generation of privacy professionals.

Who should attend this CIPM course?

Who should attend the IAPP Certified Information Privacy Manager?

  • Data Protection Officers
  • Data Protection Managers
  • Compliance Professionals
  • Information Managers
  • AI Governance Professionals
  • Data Governance Professionals
  • Auditors
  • Information Security Managers

What you will learn

  • How to create a company vision
  • How to communicate to stakeholders
  • How to structure the privacy team
  • How to develop and implement a privacy framework
  • How to conduct including DPIAs
  • How to measure performance
  • How to respond to security incidents
  • The privacy programme's operational lifecycle

CIPM Body of Knowledge

This accredited CIPM training course is delivered online over 4 consecutive morning sessions (or 2 full days when provided in-company). 

The IAPP developed its CIPM Body of Knowledge (BoK) around the skills practitioners will be assessed on during the certification exam. The latest BoK presents the content as a series of competencies and performance indicators. The IAPP ensures its CIPM BoK is always relevant and up to date through consultation with its global community of information privacy practitioners and lawyers.

CIPM is accredited by the ANSI National Accreditation Board (ANAB) under ISO17024: 2012.

The following is extracted from the CIPM BoK Version 4.0: 

Performance Indicators
Domain 1:
Developing a privacy programme framework
Define programme scope & develop a privacy strategy:
Choose an applicable governance model.
Identify the source, types and uses of personal information within the organisation.
Structure the privacy team.
Identify stakeholders and internal partnerships.
Communicate organisational vision and mission statement:
Create awareness of the organisation’s privacy programme internally and externally.
Ensure employees have access to policies and procedures and updates relative to their role(s).
Adopt privacy programme vocabulary (e.g., incident vs breach).
Domain 2:
Establishing privacy programme governance
Create policies and processes to be followed across all stages of the privacy programme life cycle:
Establish the organisational model, responsibilities, and reporting structure appropriate to the size of the organisation.
Define well-designed policies related to the processing of the organisation’s data holdings, including data sharing, and taking into account both legal and ethical requirements.
Identify collection points considering transparency and integrity limitations of collection of data.
Create a plan for breach management.
Create a plan for complaint handling procedures.
Clarify roles and responsibilities:
Define the roles and responsibilities for managing the sharing and disclosure of data for internal and external use.
Define roles and responsibilities for breach response by function, including stakeholders and their accountability to regulators, coordinating detection teams (e.g., IT, physical security, HR, investigation teams, vendors) and establishing oversight teams.
Define privacy metrics for oversight and governance:
Create metrics per audience and/or identify the intended audience for metrics with clear processes describing the purpose, value and reporting of metrics.
Understand the purposes, types and life cycles of audits in evaluating the effectiveness of controls throughout the organisation’s operations, systems and processes.
Establish monitoring and enforcement systems to track multiple jurisdictions for changes in privacy law to ensure continuous alignment.

Establish training and awareness activities:
Develop targeted employee, management, and contractor training programmes at all stages of the privacy life cycle.
Create continuous privacy programme activities (e.g., education and awareness, monitoring internal compliance, programme assurance, including audits and complaint handling procedures).
Domain 3:
Privacy Programme Operational Life Cycle - Assessing Data
Document data governance systems:
Map data inventories, map data flows, map data life cycle and system integrations.
Measure policy compliance against internal and external requirements.
Determine the desired state and perform a gap analysis against an accepted standard or law.
Evaluate processors and third-party vendors:
Identify risks of insourcing and outsourcing data, including contractual requirements and rules of international data transfers.
Carry out assessments at the most appropriate functional level within the organisation (e.g., procurement, internal audit, information security, physical security, data protection authority).
Evaluate physical and environmental controls:
Identify operational risks of physical locations (e.g., data centres and offices) and physical controls (e.g., document retention and destruction, media sanitisation and disposal, device forensics and device security).
Evaluate technical controls:
Identify operational risks of digital processing (e.g., servers, storage, infrastructure and cloud).
Review and set limits on the use of personal data (e.g. role-based access).
Review and set limits on records retention.
Determine the location of data, including cross-border data flows.
Evaluate risks associated with shared data in mergers, acquisitions, and divestitures:
Complete due diligence procedures.
Evaluate contractual and data-sharing obligations, including laws, regulations and standards.
Conduct risk and control alignment.
Domain 4:
Privacy Programme Operational Life Cycle - Protecting Personal Data
Apply information security practices and policies:
Classify data to the applicable classification scheme (e.g., public, confidential, restricted).
Understand purposes and limitations of different controls.
Identify risks and implement applicable access controls.
Use appropriate organisational measures to mitigate any residual risk.
Integrate the main principles of Privacy by Design (PbD):
Integrate privacy through the System Development Life Cycle (SDLC).
Integrate privacy through business processes.
Apply organizational guidelines for data use and ensure technical controls are enforced:
Verify that guidelines for secondary uses of data are followed.
Verify that administrative safeguards such as vendor and HR policies, procedures and contracts are applied.
Ensure applicable employee access controls and data classifications are activated.
Collaborate with privacy technologists to enable technical controls for obfuscation, data minimisation, security and other privacy-enhancing technologies (PETs).
Domain 5:
Privacy Programme Operational Life Cycle - Sustaining Programme Performance
Use metrics to measure the performance of the privacy programme:
Determine appropriate metrics for different objectives and analyse data collected through metrics (e.g., trending, ROI, business resiliency, PMM).
Collect metrics to link training and awareness activities to reductions in privacy events and continuously improve the privacy programme based on the metrics collected.
Audit the privacy programme:
Understand the types, purposes, and life cycles of audits in evaluating the effectiveness of controls throughout the organisation’s operations, systems and processes.
Select applicable forms of monitoring based on programme goals (e.g., audits, controls, sub-contractors) and complete compliance monitoring through auditing of privacy policies, controls, and standards, including against industry standards and regulatory or legislative changes.
Manage continuous assessment of the privacy programme:
Conduct risk assessments on systems, applications, processes, and activities.
Understand the purpose and life cycle for each assessment type (e.g., PIA, DPIA, TIA, LIA, PTA).
Implement risk mitigation and communications with internal and external stakeholders after mergers, acquisitions, and divestitures.
Ensure AI usage is ethical, unbiased, meets data minimisation and purpose limitation expectations and is in compliance with any regulations and/or privacy laws.
Domain 6:
Privacy Programme Operational Life Cycle - Responding to Requests and Incidents
Respond to data subject access requests and privacy rights:
Ensure privacy notices and policies are transparent and clearly articulate data subject rights.
Comply with the organization’s privacy policies around consent (e.g., withdrawals of consent, rectification requests, objections to processing, access to data and complaints).
Understand and comply with established international legislations around data subjects’ rights of control over their personal information (e.g., EU/UK GDPR, PECR, DPA18).
Follow organisational incident handling and response procedures:
Conduct a risk assessment about the incident.
Perform containment activities.
Identify and implement remediation measures.
Communicate to stakeholders in compliance with jurisdictional, global and business requirements.
Engage the privacy team to review facts, determine actions and execute plans.
Maintain an incident register and associated records of the incident.
Evaluate and modify the current incident response plan:
Carry out post-incident reviews to improve the effectiveness of the plan.
Implement changes to reduce the chance of further breaches.

Unlimited 1-2-1 coaching & support

Once the training aspect of your CIPM course is complete, our trainers make themselves available throughout the self-study period leading up to the exam. We achieve this through email exchanges, one-to-one coaching sessions, and group online exam preparation days.

CIPM Exam Preparation

The topics covered in this CIPM exam preparation session include:

  • Exam technique
  • Timing
  • IAPP examination format
  • How to set up the exam space for online exams or what to expect if they are going to a test centre
  • How to read and answer IAPP exam questions properly
  • Group discussion covering any topics delegates want to revisit, along with any queries that have come up during revision.
  • Availability of the IAPP Practice exams paper and where to find it on the IAPP website and cost.

Following the examination prep day, the instructor will offer guidance for further study areas.

CIPM: Exam

IAPP Certified Information Privacy Manager Exam information

IAPP exams have gained a reputation for being difficult to pass. Both Freevacy and the IAPP strongly recommend careful preparation, even for experienced professionals.

The following information about the CIPM examination is an extract from documentation provided to delegates by the IAPP. For the full details please review the IAPP Privacy Certification Candidate Handbook 2023 and the CIPM Examination Blueprint.

Exam Information

IAPP certification programmes are designed to differentiate between candidates who do and who do not possess the knowledge required to be considered minimally qualified privacy professionals. All questions are multiple choice with some relating to scenarios. Each question has only one correct answer. Each item (question) consists of a clearly written question (stem), a correct or best response (key) that should be apparent to minimally qualified candidates and three incorrect responses (distractors) that will be plausible to not-minimally qualified candidates. Note that it is each candidate’s responsibility to be prepared for exams by being familiar with all elements of the Bodies of Knowledge.

Candidates are encouraged to read each question carefully. The stem may be in the form of an actual question or an incomplete statement. An exam question may require the candidate to choose the most appropriate answer based on a qualifier, such as MOST likely or BEST.

Total number of questions 90
Scored questions 70
Exam duration 2 hours 30 minutes
Passing score 300 out of 500

Examination Blueprint

The examination blueprint indicates the minimum and maximum number of items that are included on the CIPP/E examination from the major areas of the Body of Knowledge. Questions may be asked from any of the listed topics under each area.


On all IAPP certification exams, each item has equal value and is scored as correct or incorrect. Unanswered items are considered incorrect, and there is no additional penalty for incorrect answers.

Special Accommodations

It is the policy of the IAPP to provide testing accommodations to candidates with qualifying disabilities to ensure each candidate a comparable opportunity for success on exams. We require 30 days notice in order to arrange special accommodations. Please do not schedule an exam until the IAPP approves your request. After exam purchase, submit your request and supporting documentation using the forms provided on the IAPP website.

Exam Languages

All IAPP examinations are administered in English.

Course Cost

Get this IAPP Certified Information Privacy Manager (CIPM) training course:


  • Sign up for our Privacy Newsfeed weekly newsletter and save 10% - subscription details below.
  • Book a second IAPP course and save up to £650.00 + VAT - contact for more information.
  • Multiple course booking discounts are only available for single delegates; both exams must be taken in a 12-month period.
Package includes:
  • 4 x 4 hour live online sessions across 4-days, or
  • 2-days for a traditional classroom setting
  • Authorised IAPP instructors
  • IAPP CIPM examination voucher
  • 1st-year IAPP professional membership (existing members, membership will be extended by 12 months)
  • Official CIPM courseware
  • Sample exam questions
  • 1-2-1 coaching and support
Booking information for corporate IAPP members:
  • Looking for the additional coaching and support we offer?
  • Ask for a Freevacy-delivered course when booking with IAPP

10% OFF


Sign-up for our Privacy Newsfeed weekly newsletter to get your discount code. Receive additional offers by selecting training announcements option. Please choose your desired subscription option and then enter your details to subscribe.


Code Course Start Duration Location Booking
CIPM IAPP Certified Information Privacy Manager 02 Apr 24 4 X 4hr Sessions Online Book now
24 Jun 24 4 X 4hr Sessions Online Book now

IAPP Certified Information Privacy Manager (CIPM)

Starts: 02 Apr 24

Duration: 4 X 4hr Sessions

Location: Online

Book now

IAPP Certified Information Privacy Manager (CIPM)

Starts: 24 Jun 24

Duration: 4 X 4hr Sessions

Location: Online

Book now

Julie Dennis - Training Director & CIPM Instructor

Julie is an information and data governance specialist with over 15 years experience, including 7 years as a data protection officer at a law enforcement agency. 

As an IAPP instructor, Julie delivers our CIPP/E and CIPM courses. Her expertise covers data protection law, privacy programme management, and implementing privacy-enhancing technologies. Julie's practical and informal approach to data protection training helps delegates to analyse and interpret legislative requirements before applying day-to-day practices.

Read Julie's full bio for more information about her qualifications and experience.

Freevacy has been shortlisted in the Best Educator category.
The PICCASO Privacy Awards recognise the people making an outstanding contribution to this dynamic and fast-growing sector.