This is a review of the International Association of Privacy Professionals' (IAPP) Certified Information Privacy Professional US (CIPP/US) exam.
My background - 15+ years of infosec (and other job descriptions), mostly acting as a CISO without the $$ or title. Lots of GRC. The C in this case stands for privaCy since the only reasons companies protect your personal data is because laws or contracts require them to and those laws & contracts need to be Complied with. It's important I point this out because I am already very well versed in the material.
Why I took the test - I've been tinkering with taking either the CISSP-ISSMP or this CIPM. CIPM is asked for a bit more in job boards (barely...) and had the potential of teaching me more in my studies. Also I'm convinced privacy is the next big wave running along infosec, and IAPP's exams are the only name in the business, so this could be a good strategic move looking 3-5 years down the line. So, I chose the CIPM and coincidentally the training bundle I selected also included the CIPP/US, so I figured why the heck not.
Who is this test for - People who want to memorize US laws regarding privacy. Having taken the test and looking through the directory of already-certified people, it's mostly privacy attorneys, privacy consultants, and infosec managers.
What did I use to study for it - Official live training, official course book, official training guide, official practice exam (~30 questions). Live training was eh, mostly instructor reading verbatim off of the instructors notes to the training guide. Official coursebook (ISBN-13: 978-0979590184) was basically two lawyers who took all of the US laws touching on privacy, created a bulletpoint list of the requirements of each, and wrote them down in narrative form over 180 pages. Extraordinarily dry material. WAY worse than a law school textbook since those at least have cases to put things into context. This was literally just someone writing down legal requirements in paragraph form. I ended up making an outline of the book since you need to just straight up memorize the exact same things from each of up to 75+ similar, but each slightly different, laws (who enforces each law, whether consent to share info is needed, if consent is needed then what kind of consent [phone, email, signature, etc], the requirements of each law, the basis for each law, the fines levied for violations of each law, the security requirements of each law, the data breach notification requirements of each law, etc, etc, etc). This was WAY worse than an ISACA textbook in case you've ever lived through one of those. Official training guide was basically a 100+ page set of bulletpoints summing up the official coursebook with extra material thrown in for some reason. Mostly worthless, IMO. Practice exam was good test of the book and relatively representative of exam questions.
How was the exam - Probably the hardest test I've ever taken, and I've taken ISC2, ISACA, SANS, CompTIA, EC-Council, etc. Not hard in terms of confusingly worded or challenging your skill level, just hard in that many, many questions covered topics I'm fairly sure weren't in the actual textbook or training materials. Many other questions were extraordinarily poorly worded and had answers that didn't seem to relate to the question at all. That'd be fine if it was one or two easily-eliminated multiple choice distractor answers, but oftentimes all of the answers just didn't match the question. Example - Which of these parts is NOT found on a car: A) flagpole,
litter box, C) stamina, D) August. Seriously, I had a few questions where I thought the answer bank must have gotten switched around. I've been an auditor on a few cert exams and felt that many of the questions needed to be reworded. I'd love to see their back-end breakdown of how well some of the questions test. There were also scenario-based questions on the exam, and those weren't represented in the practice tests (caveat - I like scenario questions since you usually get more info to ponder). I was fairly certain I had failed the exam and was flabbergasted (don't get to use that word much) when I found out I passed (you're notified at the very end). I honestly have no idea how.....
Would I recommend this to others - As a strategic move, definitely; already mentioned I think privacy is in its infancy and is going to be big in the coming years. As a learning exam, yes, if you aren't already familiar with the material, but be warned that the material and test are essentially a factual brain **** that I don't believe anybody can actually retain after taking the test. To be fair, that isn't all IAPP's fault - the state of privacy law in the US (as of the day I write this) is a mess, and the material does test the law as it currently exists (with the exception of many horribly worded answers). Ultimately I'd recommend this as an educational piece about how messed up US privacy laws are, but you'll never hope to retain the info from here, esp. since there's no context given to any of the learning topics. If you feel this will be a resume-booster, then go for it, just be prepared to sit down and commit a lot of nearly-identical pieces of information to short-term memory for instant regurgitation over 2.5 hours.
What did I take away from this exam - Mmmmm..... I decided to have a drink when I got home even though it's only lunch time. I also decided to write this. Now let me go get that drink