IAPP Foundation Review

I don't recall any reviews about IAPP exams so I thought I would add one.

For those that are unfamiliar - the IAPP is the International Association of Privacy Professionals - more info at www.privacyassociation.org. It is a non-for-profit association started in 2000. The IAPP certifications - CIPP is arguably the most well-known privacy related certification.

The certifications are geared at privacy officers, information security officers, and auditors and related professionals.

Recently, I decided to take the IAPP Certification Foundation exam. It's the prerequisite for any IAPP Certification.

I work with a lot of lawyers and many hold the CIPP designation. And several of my peers in IT hold the same designation. I decided to get the CIPP/US and CIPM certifications as a means to solidify my understanding of privacy concepts and regulations.

My preparation consisted of the online training from IAPP and the book "Foundations of Information Privacy ahnd Data Protection" which is available at the IAPP web site. The online training cost $375 and the book was $65.

In retrospect, I probably should not have invested in the online training. The oline training was useful but not required. The online material was mostly a subset and overview and the definitive topics are actually in the book.

My own preparation for the Foundation exam is probably characterized as rushed but it works for me

. I had purchased online training a few months ago and went through it once. It's only a 2 hour overview. I purchased the book about 2 weeks ago. I read through it twice in the last 3 days. I also purchased the practice test ($25) which contains 45 questions. Since IAPP exams are not always available, I decided a few days ago to schedule my exam for today otherwise I would need to wait a month (IAPP exams are available for only 2 months and then there is a 1 month hiatus).

The study materials are written by attorneys so if you are not used to that type of writing style, it could be a bit more challenging. I spend a lot of time reading contracts as part of my job so I was a bit more used it.

Generally speaking, if you already have a CISSP or CISM and you work with contracts and privacy issues, it should be relatively straight-forward exam. The actual exam is only 90 minutes with 90 multiple choice questions.

The foundation body of knowledge can be found here - https://www.privacyassociation.org/media/pdf/certification/CertificationFoundationBOK_2.0.0.2.pdf

In summary - it is 4 domains:
- Common Principles and Approaches to Privacy
- Jurisdictions and Industries
- Information Security
- Online Privacy

I definitely found the exam a valuable exercise. Although, I already have experience with a lot of the topics, the materials were invaluable in organizing a lot of privacy concepts. My weakness area is the various Jurisdictions that the exam covers. My experience is limited only to US and EU financial regulations.

My next step is to prepare for the CIPM and the CIPP/US so that I can earn the actual certifications. I will likely do the CIPP/US exam first. Both exams are 70 minutes with 60 items.

Find more posts tagged with

Comments

JDMurray

Hey Paul, thanks for the new info! We have a lot of posts asking about the CIPP, but this is a lot of new info I haven't seen here before.

Thanks again!

paul78

You're welcome...

I think that one of the reasons why IAPP exams will get more popular is because it's a lot more accessible. The exams are now available in computer testing form through Kryterion. In the past, the exams were only offered during IAPP events.

For anyone that deals with the legal or governance side of information security, this is definitely a useful certification to obtain as the knowledge gained can really help firm up a lot of legal concepts.

I would encourage any infosec professional to consider this cert. Most of the technical and security certs that we typically discuss on these forums are related to the "what" and "how" of security. Whereas the CIPP materials are about the "why" from a legal perspective.

The actual foundation exam isn't very difficult per se. It was straight-forward factual questions. I was able to complete the exam in about 40 minutes which left me a lot of time to review all my answers at least twice - I believe in getting my money's worth so I like to use all the time

. I did pretty well scoring in the low 90's for each domain and 100 for the InfoSec domain.

A couple of other tidbits as I started my preparations for the other exams.

Unlike the foundation exam, the various CIPP exams contain about 10 questions which are associated with scenarios, except for the CIPP/IT. That should make the exam a bit more interesting - I plan to take the CIPP/US.

The CIPM is actually a 80 minute exam with 45 items. And 24 of the questions are associated with 4 scenarios also making the exam a lot more interesting. Because it's so new, it looks like IAPP will not be releasing any scores until early July - apparently a passing score has not yet been determined. I'll likely wait until a passing score is determined before I take it.

GoodBishop

paul78 wrote: »

You're welcome...

I think that one of the reasons why IAPP exams will get more popular is because it's a lot more accessible. The exams are now available in computer testing form through Kryterion. In the past, the exams were only offered during IAPP events.

For anyone that deals with the legal or governance side of information security, this is definitely a useful certification to obtain as the knowledge gained can really help firm up a lot of legal concepts.

I would encourage any infosec professional to consider this cert. Most of the technical and security certs that we typically discuss on these forums are related to the "what" and "how" of security. Whereas the CIPP materials are about the "why" from a legal perspective.

The actual foundation exam isn't very difficult per se. It was straight-forward factual questions. I was able to complete the exam in about 40 minutes which left me a lot of time to review all my answers at least twice - I believe in getting my money's worth so I like to use all the time . I did pretty well scoring in the low 90's for each domain and 100 for the InfoSec domain.

A couple of other tidbits as I started my preparations for the other exams.

Unlike the foundation exam, the various CIPP exams contain about 10 questions which are associated with scenarios, except for the CIPP/IT. That should make the exam a bit more interesting - I plan to take the CIPP/US.

The CIPM is actually a 80 minute exam with 45 items. And 24 of the questions are associated with 4 scenarios also making the exam a lot more interesting. Because it's so new, it looks like IAPP will not be releasing any scores until early July - apparently a passing score has not yet been determined. I'll likely wait until a passing score is determined before I take it.

One hint on the CIPP/US - it's a lot of memorization. Lot of good historical legal questions... I squeeked by, but I should probably have studied more.

CIPP/IT would be a piece of cake in comparison.

CIPM - I should be registering for that tomorrow.

Nice job on the pass for foundations! Good luck on your next two exams.

paul78

Thanks for the tip. I enjoy case law as it pertains to privacy and security so I'm looking forward to that part.

Good luck on the CIPM.

ChooseLife

Congrats on the pass of Foundation and thanks for a nice write up!

paul78

GoodBishop wrote: »

One hint on the CIPP/US - it's a lot of memorization. Lot of good historical legal questions... I squeeked by, but I should probably have studied more.

I meant to followup earlier. After several weeks of creative procrastinating, I finally took the CIPP/US exam. I squeaked by as well.

For anyone else that may be interested:

There was definitely a higher level of memorization than I had expected. The level of detail which is probably very interesting to someone that's a lawyer.

The scenario based questions were quite good. One of the scenarios was challenging enough that I re-read various chapters this weekend.

As for preparation materials, the online training for the CIPP/US was a lot better than the online training for the CIPP foundation. As with the foundation materials, the best reference is still the IAPP review manual. The online training provides a good overview but a lot of details are only available in the review manual.

As with the foundation training, the CIPP/US materials are developed mostly by lawyers so the language may seem unfamiliar for someone that doesn't deal much with the law. Similarly, I that the exam questions are probably written by law professionals.

What I particularly found useful about the CIPP/US knowledge base is that it provides a broad examination of various US sectors as it related to privacy and data protection. While I am typically immersed in financial sector issues only, it was useful to see how various other sectors can touch on the financial industry. For example, telecommunications and employment privacy is something that I rarely have to deal with but it does come up so having the formal exposure is valuable.

GoodBishop

Congrats! Way to go.

You're right, the thing that I like about having the CIPP/US is that it has a broad base of coverage, so you get exposure to different areas.

Nicely done. Now we're expecting the post that you passed the CIPP/IT (which, in comparison, was a much easier exam than the CIPP/US).

jw2011

Hello,

I have read a lot of useful information about various certs on threads here. I am interested in taking the CIPP - would anyone be able to suggest good study material(s), or any other resources ? I looked up the official book reviews and they dont seem that great.

Appreciate your time and input, thank you.

GarudaMin

Congratulations! And thanks for this thread.

I have read books on Information security and privacy as well as Law Journal Press's Privacy Law and saw a lot of CIPP credential on contributors/editors. I just assumed it's a lawyer thing since majority of contributors to those books are lawyers. Now I know what CIPP is and I think I will go for it. The reason I read those privacy laws was because I like to be a well rounded infosec professional. The way I see is privacy goes hand in hand with security and knowing statues/regulations related to privacy wouldn't do me any disservice.

I took a look at both IAPP Foundation CBK and CIPP/US/IT CBK and found that I already know all of those topics (thanks to books from Law Journal Press and American Bar Association). However, since official textbooks are only $65 each, I will get them as well.

My questions would be why would you take both CIPP/US and CIPP/IT instead of just one? What would be more beneficial or what are the benefits of having both? How do these certs benefit you? If you could give/offer your view/insight, I'd much obliged.

Thanks.

paul78

Hello and welcome to TE forums - since you are from Canada - I assume you are most interested in CIPP/C - Personally, I found that the official materials are perhaps the best resources. I suggest you start with the official Foundation book. Good luck.

GoodBishop

GarudaMin wrote: »

My questions would be why would you take both CIPP/US and CIPP/IT instead of just one? What would be more beneficial or what are the benefits of having both? How do these certs benefit you? If you could give/offer your view/insight, I'd much obliged.

Thanks.

Well, I think the CIPP/US and CIPP/IT would be useful - it expands your skillset to not be focused just on one area, like IT. You get a good understanding of laws that impact privacy overall. Also the CIPP/US is really a good primer on privacy law, while IT is more focused on IT-related aspects of privacy.

I work on issues that pertain to both IT privacy and privacy in the general sense - having both credentials let me speak from a general and IT-focused perspective on privacy. Plus it impresses our outside counsel.