How Valid Can the IAPP’s Certifications Be?

I have made no secret of my distain for the ‘GDPR Practitioner Certification‘ badge, and I still have no time for it, or its recipients who pass it off as real-world experience. But what alternatives are there if you want to obtain some form of data protection certification / privacy education?

The de facto standard, and really the only player in town, is the International Association of Privacy Professionals (IAPP), and their flagship badge, the Certified Information Privacy Professional (CIPP), is the most widely recognised and respected acronym you can add to your CV/resume. It’s the equivalent of the CISSP for those of us in the cybersecurity industry.

As a security professional, I’m really only looking for education that will help me AS a security professional. I’m only studying this ‘privacy stuff’ because I know full well that the lines between data security and data protection have become increasingly blurred. Both sides of the privacy equation desperately need to become far more familiar with each other to accurately translate the middle ground.

But how do we do that?

Yesterday I took, and thankfully passed, IAPP’s Certified Information Privacy Technologist (CIPT) exam. CIPT is designed to help technologist to; “build [your] organization’s privacy structures from the ground up.” and “meet the growing need that only tech pros can fill—securing data privacy at all stages of IT product and service lifecycles.”

My primary driver for this was knowledge, but being able to demonstrate some commitment to the subject in the form of a certification certainly doesn’t hurt. I’ve already added it to my LinkedIn profile, so I expect to be inundated with work offers any time now.

The preparation for the exam involved reading several books and other collateral. It’s the collateral with which I have the biggest issue. The ‘Authoritative texts’ are:

  1. Privacy in Technology: Standards and Practices for Engineers and Security and IT Professionals. Cannon, J.C. Portsmouth: AN IAPP Publication, 2014. ($65)
  2. Introduction to IT Privacy: A Handbook for Technologists. Breaux, Travis. Portsmouth: An IAPP Publication, 2014. ($29.95)
  3. Information Security and Privacy: A Practical Guide for Global executives, Lawyers and Technologists. Shaw, Thomas J. New York: American Bar Association, 2012. (I paid ~ $300.00)

Right off the bat you will notice that not one of these ‘authoritative’ texts is less than 5 years old, and the oldest (if you can even find a copy), is MASSIVELY expensive! Amazon has a copy on sale for over $2,000!!

Other issues include:

  1. All of the material is very US-centric – while this is understandable given that they were founded there, the US is not exactly on the forefront for this stuff;
  2. None of the material covers what ‘s going on NOW – At 5 years old minimum, the authors had never even heard of the GDPR (for example), let alone incorporated relevant content into their books;
  3. The threat landscape changes a lot in 5 years 5 MONTHS is a long time in security;
  4. Technology has move on too – and no, I don’t mean AI!!;
  5. Getting the right answer to an old exam question does no one any good.

While I understand that getting material together in order to provide an accredited ANSI/ISO standard 17024:2012 course and certification mechanism (which CIPT is) is a Herculean task, the IAPP have nevertheless had 3 years to get more current material built into the collateral.

So while I have undoubtedly learned quite a bit, I feel that I would have been better off waiting until the course material was appropriately updated. Again, I’m in this for the knowledge, not [necessarily] the acronym.

But will all of this stop me from taking other IAPP certifications? No, actually, I’m already signed up for the Certified Information Privacy Manager (CIPM) and the Certified Information Privacy Professional / Europe (CIPP/E). Why you ask? Because unfortunately they are still the only thing around that has any meaning whatsoever. That and I will learn new stuff every time I read a book, no matter how old.

I have nothing against the IAPP (they provide a LOT of free resources), but we really need training courses, collateral, and yes, even certifications, that actually mean something. I suspect that it will be some time before we see such a thing from any vendor.

Most importantly I guess; Would I recommend these certifications? Yes actually, I would, but only because neither reading nor certifications are bad for your career.

Wait for the new versions though, and only if they have updated the reading material appropriately.

[Ed. Note 12-Aug-20 – I have since reviewed the CIPT training and reading material, it is now MUCH better and with consideration for both IS and privacy professionals alike.

[Ed. Note 02-Aug-19 – Missed this; IAPP announces revamped CIPT certification. Looks like the revamp won’t be until next year, with a new ‘textbook’ available in January.]

[Ed. Note 02-Aug-19 – I have to say I’m very impressed with IAPP, they have already reached out to chat about my blog. Kudos where it is due.]

[If you liked this article, please share! Want more like it, subscribe!]

9 thoughts on “How Valid Can the IAPP’s Certifications Be?

  1. Hi David,

    Thank you so much for your review on the CIPT course. I agree with you that “the lines between data security and data protection have become increasingly blurred. Both sides of the privacy equation desperately need to become far more familiar with each other.”. I already have CIPP qualifications and am on the other side in privacy. I was thinking of doing the CIPT in order to understand security better. I am waiting for course to be updated. I work with InfoSecs all the time so most of my learning is on the job and self study. What are your suggestions people like me to become more knowledgeable about security?

    • Thank you for your comments Jen.

      It’s very difficult for me to ‘recommend’ a way forward, because there is just so much to learn. I have only begun to scratch the surface of what you do, and I’ve been at this pretty solidly for over 2 years now.

      But as I stated in my blog, the de facto standard cybersecurity certification is the CISSP (Certified Information Systems Security Professional). While I would NOT suggest you take study all the way to certification (it can be rather much), I would suggest that you read the ‘official’ study guide. This will give you a high-level and well-rounded insight into cybersecurity’s major aspects.

      And then just keep doing what you’re doing! It’s the interaction with real-world practitioners that gives you the best education 🙂

      Best of luck,


      • Thank you so much for the book recommendation. Much appreciated. I also love how frank you are in this blog.

  2. Hi David,
    Thank you for your very informative insights.
    I note on the IAPP website they are now listing a new 2020 CIPT course and give last date for current exam as 12/2019.
    They have released the scope already and whilst improved still doesn’t seem to mention GDPR 🙂

    • Typical, isn’t it? I’ve been thinking about writing this blog for months and ONE day before I finally write it they release the announcement! 🙂

      I have already updated my blog accordingly, but like you I don’t see any definitive statements about HOW its contents will be any more appropriate.

      1. Will the ‘new CIPT textbook’ fully replace all of the current ‘Authoritative texts’?;
      2. Will it stop being so US-centric and cover YOUR specific national laws?

      There’s no way it can be radically different from the current CIPT, or you’d end up with two very different skill-sets with the same acronym. We could also end up in a situation where people see CIPTs prior to March 2020 as second best.

      I guess we’ll see, but not sure I care anymore 🙂

  3. It’s also important to understand the difference between Privacy and Security – and to be fair, David, your use of the term “Threat Landscape” shows that you were hinking like a security professional, not a Privacy Professional when you wrote this.

    Some of your points in your privacy and GDPR related posts are spot-on. Privacy isn’t a security or IT problem. It’s a business problem that has a lot more to do with what you’re allowed to do with personal information or personally identifiable information, and a lot less to do with things like keeping bad guys from accessing personal data. Yes, there is no privacy without security, and yes, the details on what is strong enough encryption have changed over the last 5 years – but that’s a security topic, not a privacy one.
    Privacy professionals’ jobs are more about principles like what data is the business allowed to collect, whether the reason the marketing team is giving is legitimate or not, whether it’s OK to share a piece of data etc.

    And, the fact is, even with GDPR, the core principles; the things you really need to understand well really haven’t changed all that much in the last 5 years. Sure, the penalties vary, but that’s why they publish updated editions of Privacy Law Fundamentals every year or so, and why the IAPP maintains a library of information and tools for members.

    And as you know, I’ve walked the road between Privacy and Security Professional for quite awhile. CIPP/US and CIPT in 2011; CISA, PCIP and CIPP/E in 2012; PCI QSA and CIPP/C in 2013; PCI QSA (P2PE) and PA-QSA (P2PE) in 2015, VISA PIN SA in 2016, PCI 3DS QSA in 2018, and last month, CISSP.


    • All fair points Jim, I agree that; 1) I am mostly a security professional (never professed otherwise) and, 2) privacy has not changed THAT much. However, you’re showing your own leaning toward security by saying that the threat landscape is a security thing. The threat landscape is a BUSINESS thing, and with the significant ‘powers’ (not just fines) now available to supervisory authorities, threats to privacy are now addressed where they should have been addressed all along. At the Board level.
      The CIPT course, it its current iteration, does not account for the enormous advances privacy has made in the last 5 years, and the significant impact those advances will have on IT.
      Let’s hope the revamp takes care of that.

    • Hi A,

      I actually have the new material, but have not had a chance to go through it. I will actually rewrite the blog once I’ve done so.

      Back soon!


If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.