So, you’ve decided that you want to become a Certified Information Privacy Manager (CIPM). Or at least you are interested in helping your organization operationalize privacy. To do that, you’ll need to pass an exam administered by the IAPP, formerly known as the International Association of Privacy Professionals. To do that successfully, you will need to know the topics tested on the exam, which are helpfully contained in a document published by the IAPP, called the Body of Knowledge and Exam Blueprint. And each year, the IAPP updates this document with new or different material.
You might ask yourself: why does the IAPP issue updates every year? The reason is twofold. First, the IAPP wants to make sure its certification exams keep pace with the rapidly evolving industry of data protection and new technologies. And second, the IAPP wants to make sure its certification exams do not become too “overexposed.”
After the significant changes to the CIPM Body of Knowledge that the IAPP made in 2023, this year’s updates (like the 2024 updates) are relatively modest. Below, we cover these changes in detail.
When Do These Changes Go into Effect?
Before we get too in the weeds, let’s start with the basics. Because the IAPP does not want to surprise test-takers, it publishes updated BoKs several months in advance of when they become effective. In other words, the IAPP provides plenty of time—a minimum of 90 days—to learn new topics that it identifies before they appear on any exam.
The changes to the 2025-2026 Body of Knowledge for the CIPM exam go into effect on September 1, 2025.
Changes to the New CIPM Body of Knowledge
To understand what may have changed in the CIPM Body of Knowledge this year, let’s start with the words of the IAPP itself: “Most of these changes [to the BoK] are clarifying language, so the content is the same, but is more concrete and precise. Some of the content may have been relocated or combined together.” Moreover, “[i]n some cases, performance indicators were deleted because they were covered elsewhere in the BoK.”
In short, there is effectively no new content tested on the CIPM exam this coming year compared to last year. There are, however, some stylistic changes which we cover below, as well as more “concreteness” that test-takers should be aware of.
Did the Domains or Competencies Change?
Domains are the highest level of organization within the CIPM Body of Knowledge. They have not changed this year compared to last year. The six Domains are:
- Domain I – Privacy Program: Developing a Framework
- Domain II – Privacy Program: Establishing Program Governance
- Domain III – Privacy Program Operational Life Cycle: Assessing Data
- Domain IV – Privacy Program Operational Life Cycle: Protecting Personal Data
- Domain V – Privacy Program Operational Life Cycle: Sustaining Program Performance
- Domain VI – Privacy Program Operational Life Cycle: Responding to Requests and Incidents
Under the new structure of the IAPP Body of Knowledge that was first implemented in 2023, “Competencies” are “clusters of connected tasks and abilities that constitute a body of knowledge domain.” These too remain unchanged in the updated 2025-2026 CIPM Body of Knowledge compared to version 4.1.0 from last year.
Want to know what else didn’t change? The number of questions that will be asked on each specific competency.
Are There Any New Performance Indicators?
You’re probably asking yourself at this point, what did change? The answer is, unsurprisingly—not a lot. Each competency in the CIPM Body of Knowledge is matched with several “performance indicators,” which “are the discreet tasks and abilities that constitutes the broader competence group.” Some of the wording on these has changed or been removed. Let’s compare.
- Performance Indicator – I.A – Has been changed from: “Understand the organization’s business model and risk appetite” to “Understand the business model, operational environment and risk appetite.”
- Performance Indicator – I.B – Has been changed from “Adopt privacy program vocabulary (e.g., incident vs. breach)” to “Establish a common understanding of privacy terms across the organization.”
- Performance Indicator I.C. – Has been changed from “Understand penalties for non-compliance” to “Understand the potential impact of non-compliance at the organizational and/or individual level.”
- Performance Indicator II.A – Has been changed from “Create a plan for complaint handling procedures” to “Create plans for complaint procedures and data subject rights processes and procedures.”
- Performance Indicator II.D – “Create continuous privacy program activities (e.g., education and awareness, monitoring internal compliance, program assurance, including audits, complaint handling procedures” has been removed.
- Performance Indicator III.A – Has been changed from “Determine desired state and perform gap analysis against an accepted standard or law” to “Perform a gap analysis against applicable laws and/or accepted standards.”
- Performance Indicator III.D – The performance indicators of “Review and set limits on use of personal data (e.g., role-based access)” and “Review and set limits on records retention” have been combined into “Review and set limits on use and retention of personal data.”
- Performance Indicator III.D – “Collaborate with relevant stakeholders to identify and evaluate technical controls” has been removed.
- Performance Indicator IV.A – Has been changed from “Use appropriate technical, administrative, and organizational measures to mitigate any residual risk” to “Use appropriate technical, administrative and organizational measures to mitigate risk.”
- Performance Indicator IV. B – “Understand the principles and purposes of privacy by design” has been added.
- Performance Indicator IV.C – Has been changed from “Verify that the safeguards such as vendor and HR policies, procedures and contracts are applied” to “Verify that safeguards such as policies, procedures and vendor contracts are applied.”
- Performance Indicator IV.C – Has been changed from “Ensure applicable employee access controls and data classifications are in use” to “Ensure applicable access controls and data classifications are appropriate and effective.”
- Performance Indicator V.A – Has been changed from “Determine appropriate metrics for different objectives and analyze data collected through metrics (e.g., trending, ROI, business resiliency” to “Determine appropriate metrics for different objectives (e.g., trending, ROI, business resiliency).”
- Performance Indicator V.A – Has been changed from “Collect metrics to link training and awareness activities to reductions in privacy events and continuously improve the privacy program based on the metrics collected” to “Analyze collected data and link to program goals and compliance measures (PIAs performed, rights requests response rates, complaints volume, data breach metrics).”
- Performance Indicator V.B – “Understand the types, purposes, and life cycles of audits in evaluating effectiveness of controls throughout organization’s operations, systems and processes” has been removed.
- Performance Indicator VI.A – Has been changed from “Understand and comply with established international, federal, and state legislations around data subject’s rights of control over their personal information (e.g., GDPR, HPAA, CAN-SPAM, FOIA, CCPA/CPRA)” to “Understand and comply with established global legislations around data subject’s rights of control over their personal information.”
- Performance Indicator VI.B – Four performance indicators of “Conduct an incident impact assessment,” “Perform containment activities,” “Identify and implement remediation measures,” and “Engage privacy team to review facts, determine actions and execute plans” have been combined into “Understand and execute incident handling and response procedures (e.g., assessment, containment, remediation).”
As you can tell from reviewing these changes, they are nearly all stylistic in nature. Some of the content that has been removed is already covered elsewhere in the BoK.
In sum, there is little to no new content in this year’s BoK update.
Is Privacy Bootcamp’s CIPM Course Up to Date?
Yes, all Privacy Bootcamp courses are up to date.
As is annual tradition around here, we set to work updating our courses weeks before the IAPP releases its updated BoKs based upon changes we know have occurred in the privacy and data protection industry, as well as important events and student feedback. We are never left flat-footed. Because we begin working on these updates proactively, we typically are able to release annual comprehensive updates just weeks after the IAPP publishes updated BoKs. So be on the lookout in the coming weeks for new content.
We release our CIPM course updates months ahead of when any new material will appear on an exam (for exams taken after September 1, 2025). This update will happen seamlessly for all enrolled students; there is no action needed on the part of our students. Regardless of what changes the IAPP throws at you, with Privacy Bootcamp you can rest easy knowing you will always be prepared.
