NDATION FOUNDATION FOUNDATIO

N FOUNDATION FOUNDATION FOU

IAPP Certification Foundation

Study Guide

Effective March 2013

WELCOME
Congratulations on taking the first step toward achieving an IAPP privacy certification. This study guide contains the basic
information you need to get started:

• An explanation of the IAPP certification program structure

• Key areas of knowledge for the Certification Foundation program
• Recommended steps to help you prepare for your exam
• A detailed Body of Knowledge for the Certification Foundation program
• An exam blueprint
• Sample questions
• General exam information  

IAPP Certification Foundation Study Guide 2

The IAPP Certification Program Structure
The IAPP currently offers two certification programs: The Certified Information Privacy Professional (CIPP) and the
Certified Information Privacy Manager (CIPM).

The CIPP is the “what” of privacy. Earning this designation demonstrates your mastery of a principles-based framework in
information privacy in a legal or practical specialization. Within the CIPP, there are five concentrations:

• U.S. private-sector privacy (CIPP/US)

• Canadian privacy (CIPP/C)
• European privacy (CIPP/E)
• U.S. government privacy (CIPP/G)
• Privacy in information technology (CIPP/IT)

The CIPM is the “how” of privacy. Earning this designation assesses your understanding of the application of common
privacy practices in the daily operations of an organization. There are no concentrations within the CIPM—it crosses all
jurisdictions and industries.

To become certified in any of these areas, you must successfully complete the Certification Foundation examination,
followed by a designation exam (either the CIPM exam or an exam in one of the five CIPP concentrations).

The Certification Foundation exam assesses understanding of fundamental concepts of privacy and data protection. It covers
common practice areas that are relevant to all privacy professionals regardless of legal jurisdiction, geographic location or
practice specialization.

You must pass both the Certification Foundation exam and a designation exam to achieve certification.
Successful completion of just one exam will not result in certification being awarded.

Testing for Multiple Designations

Many people choose to certify in multiple areas. Should you wish to pursue additional designations, you are not required to
retake the Certification Foundation multiple times; you are only required to pass the additional designation exam to achieve
another credential.

Requirements for IAPP Certification

1. You must be a current member of the IAPP prior to registering for your examination.
(Information about IAPP membership, including levels, benefits and rates is available on the
IAPP website at www.privacyassociation.org/membership.)
2. Successful completion of both the Certification Foundation exam and a designation exam.

IAPP Certification Foundation Study Guide 3

Certification Foundation Key Areas of Knowledge
The Certification Foundation, which is a pre-requisite for all IAPP designations, covers elementary concepts of privacy
and data protection from a global perspective. It is designed to provide the basis for a multi-faceted approach to privacy and
data protection and to allow for the specific application of IAPP privacy certifications to build upon this foundation with
minimal repetition.

The four Foundation course components are:

I. Common Principles and Approaches to Privacy

• Historical descriptions, definitions and classes of privacy

• Types and elements of information
• Privacy policies and notices and processing of personal data
• Information risk management and information lifecycle principles
• Modern privacy principles, including FIPs, OECD and APEC, and common themes

II. A Survey of Global Privacy Laws and Industry Practices

• Global perspectives and data protection models

• The U.S. approach to information privacy
• The EU Data Protection Directive
• Data protection in Asia, Africa and the Middle East
• Sectors of privacy law, including healthcare, financial, telecommunications, marketing, human resources

III. Information Security

• Privacy and information security in context

• Elements of information security
• Information security standards: ISO 27001 and ISO 27002
• Information security threats and vulnerabilities
• Information security management and governance

IV. Online Privacy: Using Personal Information on Websites and with Other Internet-related Technologies

• Privacy considerations for sensitive online information, including data subject access and redress, children’s
online privacy, online identification methods, privacy and electronic mail, Internet searches, marketing and
advertising, social media, cloud computing and mobile privacy

IAPP Certification Foundation Study Guide 4

Preparation
Privacy certification is an important effort that requires advance preparation. Deciding how you will prepare for your exams
is a personal choice that should include an assessment of your professional background, scope of privacy knowledge and your
preferred method of learning.

In general, the IAPP recommends that you plan for a minimum of 20 hours of study time in advance of your exam date;
however, you might need more or fewer hours depending on your personal choices and professional experience.

The IAPP recommends you prepare in the following manner:

1. Review the Body of Knowledge

The Body of Knowledge for the Certification Foundation program is a comprehensive outline of the subject matter
areas covered by the Foundation exam. Review it carefully to help determine which areas merit additional focus in your
preparation. See pages 6-10.

2. Review the exam blueprint

The Certification Foundation Examination Blueprint on page 11 specifies the number of items from each area of the Body
of Knowledge that will appear on the exam. Studying the blueprint can help you further target your primary study needs.

3. Study the Certification Foundation textbook

Foundations of Information Privacy and Data Protection is the official reference for the Certification Foundation program. The
IAPP strongly recommends you take the time to carefully read and study the textbook.

4. Get Certification Training

The IAPP offers both in-person certification prep classes and online training to help you prepare for your exams.
You can find a list of scheduled classes and/or purchase downloadable online training on the IAPP website.

5. Take the Certification Foundation practice test

Practice tests are a great way to gain familiarity with the format and content of the actual designation exams. Practice
tests are shorter versions of the exam, available in a downloadable PDF file containing the test itself, an answer key and an
explanation of each correct answer.

6. Review other IAPP preparation resources

Additional resources are available on the IAPP website, including a searchable glossary of terms, a bibliography of
recommended reading and a case study book.

IAPP Certification Foundation Study Guide 5

Certification Foundation Common Body of Knowledge Outline

I. Common Principles and Approaches to Privacy

A. A Modern History of Privacy

a. Descriptions, definitions and classes
b. Historical and social origins
B. Types of Information
a. Personal information
b. Non-personal information
c. General and organizational
i. Financial
ii. Human resources
iii. Operational
iv. Intellectual property (IP)
v. Information products and services
d. Elements of personal information
i. Data subjects
ii. Personal data (EU)
iii. Personally identifiable information (U.S.)
iv. Sensitive personal information
e. Processing of personal data
i. Data controller
ii. Data processor
iii. Data protection authority (DPA)
f. Privacy policy and notice
i. Consent and choice
1. Opt in and opt out
C. Information Risk Management
a. Privacy’s impact on organizational risk
i. Main drivers and challenges
ii. Common processes
iii. Potential outcomes
b. Information lifecycle principles
i. Collection
ii. Use and retention
iii. Disclosure
iv. Management and administration
v. Monitoring and enforcement
c. Privacy impact assessments (PIA)
D. Modern Privacy Principles
a. Foundational principles
i. U.S. fair information practices
1. Notice, access, choice and consent
2. Scope and limitations of use
ii. The Organization of Economic Cooperation and Development (OECD) “Guidelines Governing
the Protection of Privacy and Trans-border Data Flows of Personal Data” (1980)
iii. The Asia Pacific Economic Cooperation (APEC) privacy principles
b. Historical timeline of principles frameworks
c. Common themes among principles frameworks

IAPP Certification Foundation Study Guide 6

II. Jurisdictions and Industries

A. Geography: Privacy and Data Protection Regulation

a. Introduction
b. Global perspectives overview
i. Countries with comprehensive data protection laws
ii. Countries with sectoral data protection laws
iii. The co-regulatory model
iv. The self-regulatory model
c. United States
i. Federal privacy laws
ii. State privacy laws
d. Canada
i. The Privacy Act of 1983
ii. The Personal Information Protection and Electronic Documents Act of 2000 (PIPEDA)
e. Europe
i. The European Union (EU) Data Protection Directive (95/46/EC)
1. Applicability
2. Core principles
3. Data processing
4. Data transfers
a. “Adequacy”
b. Binding corporate rules (BCRS)
c. Model Contracts
ii. The EU ePrivacy Directive (2002/58/EC)
iii. The Article 29 Working Party
iv. Employment data
v. EU – U.S. Safe Harbor Principles
1. Program components
2. Privacy principles
3. Compliance and enforcement
f. Japan
i. Laws concerning the protection of personal information
ii. Data transfer requirements
g. Australia
i. The Privacy Act of 2001
h. Latin America
i. “Habeas data”
i. India
j. Other Countries
B. Sectors of Privacy Law
a. Introduction
b. Healthcare
c. Financial
d. Telecommunications
e. Online Privacy
f. Government
g. Marketing
h. Energy
i. Human Resources
j. Other
IAPP Certification Foundation Study Guide 7
III. Information Security: Safeguarding Personal Information

A. Introduction to Information Security

a. Privacy and information security in context
i. Definitions
ii. Confidentiality, integrity and availability
iii. Common issues and challenges
1. Privacy vs. security
b. Elements of information security
i. Information security needs
ii. Information security key principles
1. Segregation of duties
2. Access privileges
3. Least privilege
c. Information security standards
i. ISO 27001
ii. ISO 27002
1. Security clauses
d. Information security threats and vulnerabilities
i. Determining risk
ii. Threat agents and origins
iii. Security risks and vulnerabilities
iv. Malware
v. Phishing
vi. Social engineering
B. Information Security Management
a. Building an information security framework
i. Process components
ii. Industry standards
iii. Organizational policy
b. Information security compliance
i. Legal requirements
c. Common information security controls
i. Access control policy and responsibility
ii. Access control types
1. Preventative
2. Detective
3. Corrective
iii. Access control placement
1. Network
2. Operating system
3. Application layer
4. Mobile computing and teleworking
iv. Cryptography
1. General concepts of shared and public key cryptography
a. Public key infrastructure (PKI)
2. Encryption
3. Decryption
4. Non-repudiation
5. Other uses
a. Digital signatures
b. Certifications IAPP Certification Foundation Study Guide 8
 v. Identity and access management (IAM)
1. Authentication
2. Authorization
vi. Other controls
1. Networks
a. Firewalls
b. Intrusion detection systems (IDS)
c. Intrusion prevention systems (IPS)
d. Data loss and data leakage protection
2. Financial transactions
a. Payment Card Industry (PCI) Data Security Standard (DSS)
d. Information security governance
i. Internal to organization
ii. External parties
iii. Asset management
1. Inventory of assets
2. Information classification
iv. Human resources security
1. Pre-employment
2. Change of employment
v. Physical and environmental security
1. Securing facilities
2. Equipment safety
vi. Communications and operations management
1. Management of third-party service delivery
2. System monitoring
a. System and end user
3. Back-up media
a. Handling
b. Transfer of information
4. Online security and monitoring
vii. Incident management
1. Reporting events and weaknesses
2. Managing incidents and improvements
3. Business continuity
viii. The information security program
1. The information security management system (ISMS)
2. Program improvement
3. Management review
4. Program assessments
a. Internal audits
b. External/third-party audits
ix. Vendor management
1. Due diligence and qualification
2. Contract management

IAPP Certification Foundation Study Guide 9

IV. Online Privacy: Using Personal Information on Websites and with Other
Internet-related Technologies

A. The Web as a Platform

a. Standard Web protocols
i. Internet protocol (IP)
ii. Hypertext transfer protocol (HTTP)
iii. Hypertext transfer protocol – secure (HTTPS)
iv. Internet proxies and caches
v. Web server logs
vi. Transport layer security (TLS)
vii. Secure sockets layer (SSL)
B. Privacy Considerations for Sensitive Online Information
a. Threats to online privacy
i. Cross-site scripting (XSS)
b. Online privacy notices and methods for communication
i. Website privacy statement
1. Location at/link from all points of data collection
2. Sample language
ii. Layered notice
c. Data subject access and redress
d. Online security
e. Website user authentication
f. Children’s online privacy
g. Active versus passive data collection
i. Web forms
h. Online identification mechanisms
i. Cookies
1. First-party and third-party
2. Common use cases
3. Industry best practices
ii. Web beacons
i. Privacy and electronic mail
i. Commercial e-mail
1. Best practices and standards for privacy protection
2. Unsolicited commercial e-mail (“spam”)
j. Internet searches
k. Online marketing and advertising
i. Search engine marketing (SEM)
ii. Online behavioral marketing (OBM)
l. Online social media
i. Social networking services
ii. Instant messaging
m. Online assurance
i. Trust seal and dispute resolution programs
ii. Self-regulatory frameworks
n. Cloud computing
o. Mobile online privacy
i. Location data

IAPP Certification Foundation Study Guide 10

Certification Foundation Exam Format
The Certification Foundation exam is a 90-minute, 90-item, objective test.

The Foundation exam is composed of 90 multiple-choice items. There are no essay questions. Each correct answer is
worth one point.

It is important to note that Certification Foundation is not itself an IAPP certification; you must pass both the
Certification Foundation and a designation exam to achieve certification.

Exam Blueprint
The exam blueprint indicates the minimum and maximum number of questions included on the exam from the major
areas of the body of knowledge. Questions may be asked from any of the topics listed within each area.You can use this
blueprint to guide your studying.

Min Max
I. Common Principles and Approaches to Privacy 31 35
A. Modern history of privacy 1 3
B. Types of information 15 21
Personal information, non-personal information, general and organizational
information, elements of personal information, data processing roles, privacy
policy and notice
C. Information risk management 7 11
Privacy’s impact of organizational risk, information lifecycle principles,
privacy impact assessments
D. Modern privacy principles 3 5

II. Privacy by Jurisdictions and Industries 20 23
A. Jurisdictions 10 13
Global perspectives, Europe, United States, Canada, other jurisdictions
B. Industries 9 11
Healthcare, financial, telecommunications, marketing, human resources,
other industries

III. Information Security: Safeguarding Personal Information 12 14

A. Overview of information security 7 11
Privacy and information security in context, elements of information security,
information security standards, information security threats and vulnerabilities
B. Information security management 3 5
Building an information security framework, information security compliance,
common information security controls, information security governance

IV. Online Privacy 20 24

A. Standard web protocols 1 3
B. Privacy considerations 20 22
Threats to online privacy, online privacy notice and methods for communication,
data subject access and redress, online security, website user authentication, children’s
online privacy, active vs. passive data collection, online identification mechanisms,
privacy and e-mail, Internet searches, online marketing and advertising, online social
media, online assurance, cloud computing, mobile online privacy

IAPP Certification Foundation Study Guide 11

Sample Exam Questions
1. What is the definition of a data controller?
A. A third-party service provider that maintains the platform on which personal data is stored.
B. A supervisory authority empowered to enforce privacy regulation or law.
C. The individual who provides the personal data.
D. An entity that holds personal data and determines the purposes of use.

2. What must be included in a privacy impact assessment?

A. A regulatory review of the assessment.
B. The source code of the system processing the data.
C. The attributes of data collected.
D. The administrator passwords of the system being evaluated.

3. Which standard web protocol allows for a peer’s identity to be authenticated prior to a connection being made?
A. Secure Sockets Layer.
B. Hypertext Transfer Protocol.
C. Transmission Control Protocol.
D. Internet Protocol.

4. What is an example of passive data collection on a website?

A. Single sign-on service.
B. Drop-down list.
C. De-selected check box.
D. Web beacon.

IAPP Certification Foundation Study Guide 12

General Exam Information
The IAPP offers testing at major annual conferences and at select industry conferences. Event-based testing is paper-pencil
format.You may sit for the Certification Foundation and one designation exam during a single event.

The IAPP also offers testing via computer-based delivery at test centers worldwide. There are approximately 600 Kryterion
High-stakes Online Secured Testing (HOST) locations around the world where IAPP certification exams are administered.

You can find detailed information about how to register for exams, as well as exam day instructions, on our website at
www.privacyassociation.org/certification.

Questions?
The IAPP recognizes that privacy certification is an important professional development effort requiring commitment and
preparation. We thank you for choosing to pursue certification, and we welcome your questions and comments regarding
our certification program.

Please don’t hesitate to contact us at certification@privacyassociation.org or +1 603.427.9200.

IAPP Certification Foundation Study Guide 13