constructed startin with 1x1mm square; last square is 144x144
Published on

Taking (and Passing) the CIPT Exam

Authors
  • avatar
    Name
    Curtis Mitchell
    Twitter
CIPT Seal

Last week I successfully completed the Certified Information Privacy Technologist (CIPT) exam offered by the IAPP, the International Association of Privacy Professionals. While preparing for different privacy engineering1 interviews over the last several months (several of which listed the CIPT as a desired certification for candidates), I realized I had some gaps in my knowledge when it came to working with teams that are not necessarily software engineers, such as legal and compliance professionals. Studying for this exam did end up closing those gaps and I can see some new paths forward in my privacy career as a result of getting this certification. If you think getting a privacy engineering certification could be beneficial for your career2, read on for my perspective on how to study for and pass this exam.

What is the IAPP?

The IAPP is a professional network headquartered in the US state of New Hampshire and with active local chapters around the world. The organization supports different means of educating and certifying those professionals in all aspects of privacy: legal regulation, corporate policy guidance, technical implementation, and many more. They offer several different certifications focused on implementing and maintaining technical privacy controls (as well as a newer certificate specifically for AI governance).

Overview of the CIPT Exam

At first glance the exam doesn't seem too onerous: it consists of 90 multiple choice questions that you have two and a half hours to complete. But because it covers such a wide range of topics it has a reputation for being somewhat difficult, especially if you don't commit to focused study. While it does include directly technical topics such as encryption and computer networking, it also covers several project planning and organizational topics, such as designing software with a privacy by design first approach and how to implement a privacy policy within an organization. More philosophical and legal topics are also covered, such as a comparison of various definitions of privacy itself, and what actions constitute a violation of privacy.

The full list of sections covered is:

  1. Foundational Principles
  2. The Privacy Technologist's Role in the Context of the Organization
  3. Privacy Risks, Threats and Violations
  4. Privacy-Enhancing Strategies, Techniques and Technologies
  5. Privacy by Design
  6. Privacy Engineering
  7. Evolving or Emerging Technologies in Privacy

Costs

At $550, the cost of the exam is steep (though this is comparable to other technical certifications such as those offered by CompTIA), and it includes a 2-year maintenance fee of $250 (waived if you're already a paying IAPP member) and continuing education requirements. So I wouldn't consider taking this exam if you're not working in a privacy-related domain.

Devising a Study Plan

Learning Materials

The IAPP offers its own study textbook, which is a good start, and they also offer reading material and practice tests that you can purchase. But after doing some research I decided to go with using the Privacy Bootcamp site to study for the exam. This is an online platform that features detailed content on all of the relevant CIPT topics, much of it pulled directly from IAPP material. The platform also includes review notes and flashcards and practice tests as well. Similar in price to the exam itself, Privacy Bootcamp charges $499 for access to its CIPT content, though that does include a guarantee for a full refund if you fail the first attempt at the exam.

Using a Spaced-Repetition System

For my own exam prep, I typically spent between 15 and 60 minutes a day reading and reviewing the Privacy Bootcamp content and then extra time here and there making and studying flash cards using Anki. If you're not familiar with Anki, it's a flash card-based spaced repetition system (SRS). The basic idea of an SRS is that each time you successfully remember review material, more and more days will pass before you see that material again, and any questions you get wrong will reappear more immediately (i.e. a few minutes later) until you get them correct. It's common for Anki users to make their card decks publicly available but I strongly encourage you to create your own cards, as figuring out what content to use to create a new card is itself a great form of study.

If you want to learn more about strategies for how to create cards to effectively absorb material, I strongly recommend this blog post on using SRS to study mathematics (although the strategies translate to other technical topics too): https://cognitivemedium.com/srs-mathematics.

Setting a Schedule

Each day I would make a commitment to read one to three sections of the Privacy Bootcamp material and then study the in-platform flash cards and knowledge review questions. I would also use the knowledge review material to make my own Anki cards, which I would then periodically study throughout the day.

Reviewing 50-100 Anki cards everyday typically takes me 5-20 minutes, depending on how unfamiliar the card content is. And it's an easy task to fit in between calls or during other small breaks during the day.

Practice Exams

After completing all the lessons, I took the two practice tests that are included in the Privacy Boot Camp platform. After taking the first one and passing it, I scheduled my official CIPT exam for the following week.

All of the questions in the exams fit the same format: reading content (sometimes with a longer "privacy scenario" that applied across multiple questions) along with four multiple choice questions. Part of what makes the test challenging is that very often you will get a question where two of the possible answers are both strong contenders. The challenge is to pick which one most strongly applies to answering the question.

Next Steps

The IAPP runs knowledge-sharing groups (which they call "peer groups") for disciplines like privacy engineering, and they frequently hold talks and conferences virtually and in-person around the globe. I've attended talks on subjects such as technical implementation strategies for data protection and the application of laws in the US/UK/EU on automated decision making systems.

if this overview has piqued your interest enough to consider taking the exam, explore a few of the (non-affiliate) links I've placed here. And best of luck!

Footnotes

  1. Incidentally, while looking at different jobs with the title Privacy Engineer, I found a wide range of responsibilities that this title can entail. For example, some Privacy Engineer roles I applied to involved writing or auditing low-level code that implemented differentially private algorithms on mobile devices and web browsers. Other Privacy Engineer roles I interviewed for were much more on the regulatory compliance side, expecting the candidate to have experience working directly with legal teams to meet an organization's privacy regulation obligations. This wide range of expectations is a sign that the field is still growing and evolving. Exciting times!

  2. As far as I can tell, there aren't any other certifications comparable to the CIPT for privacy engineering, at least in North America. Please message me if you know of one!

View on GitHub