You Can Pass This Exam For Free
Choose Your Study Path
Limited experience with privacy regulations, data protection, or privacy engineering. You need to build foundational knowledge in privacy principles and technical controls before tackling implementation scenarios.
Exam Overview
Format
120 multiple-choice questions in 210 minutes (3 hours 30 minutes). All questions are scenario-based, testing your ability to apply privacy engineering concepts to real-world situations.
Scoring
Scaled score 200-800. Passing: 450. The scaled scoring accounts for question difficulty, so the exact number of correct answers needed varies. No penalty for wrong answers — always answer every question.
Domains & Weights
- Privacy Governance20%
- Privacy Risk Management and Compliance18%
- Data Life Cycle Management23%
- Privacy Engineering39%
Registration
$575 USD. Register through the ISACA website (isaca.org) and schedule at PSI testing centers or via remote proctoring. Exam fee is $575 USD for ISACA members or $760 USD for non-members. ISACA membership costs $145/year and includes significant exam discounts plus access to resources and CPE opportunities.
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
Privacy Governance
This domain covers organizational privacy governance structures, privacy program development, alignment with business objectives, and privacy awareness. You need to understand how to establish, maintain, and improve a privacy program, including the roles, policies, and frameworks that support it.
Key Topics
Must-Know Concepts
- Privacy program components: strategy, policies, procedures, roles and responsibilities, training, monitoring, and continuous improvement
- Data Protection Officer (DPO) role: when appointment is mandatory under GDPR, independence requirements, reporting structure, and responsibilities
- Privacy by Design 7 foundational principles: proactive not reactive, privacy as default, privacy embedded into design, full functionality, end-to-end security, visibility and transparency, respect for user privacy
- Privacy governance frameworks: ISO 27701, NIST Privacy Framework, APEC CBPR, and how they complement legal requirements
- Privacy policies and notices: what must be included, how to communicate them to data subjects, and difference between internal policies and external privacy notices
- Aligning privacy program with business objectives: demonstrating value, building privacy into business processes, and privacy as a competitive advantage
- Privacy awareness and training: role-based training, frequency requirements, measuring effectiveness, and building a privacy-aware culture
- Privacy governance committees: cross-functional representation, charter, decision-making authority, and escalation paths
- Vendor and supply chain privacy management: due diligence, data processing agreements, sub-processor oversight, and audit rights (moved under Privacy Governance in the 2025 exam update)
- Incident management: privacy incident response planning, containment, investigation, notification, and lessons learned processes
Common Exam Traps
Privacy Risk Management and Compliance
This domain covers identifying, assessing, and mitigating privacy risks, as well as maintaining compliance with applicable regulations. Know how to conduct privacy impact assessments, manage vendor risks, handle breach notifications, and maintain ongoing compliance through audits and monitoring.
Key Topics
Must-Know Concepts
- Privacy Impact Assessment (PIA) process: scope definition, data flow analysis, risk identification, risk evaluation, mitigation recommendations, and documentation
- DPIA requirements under GDPR Article 35: when mandatory (high-risk processing, systematic monitoring, large-scale sensitive data), what it must contain, and when to consult the supervisory authority
- Privacy risk assessment methodologies: qualitative vs quantitative, risk matrices, likelihood and impact scoring, and residual risk acceptance
- Vendor and third-party risk management: due diligence questionnaires, data processing agreements (DPAs), sub-processor management, audit rights, and ongoing monitoring
- Breach notification requirements across jurisdictions: GDPR 72-hour rule, CCPA requirements, HIPAA requirements, and what constitutes a notifiable breach
- Privacy audit types: internal audits, external audits, regulatory audits, and continuous monitoring approaches
- Records of Processing Activities (ROPA): what must be documented under GDPR Article 30, who must maintain them, and how to keep them current
- Legal and regulatory monitoring: tracking new and updated privacy laws, assessing impact on existing programs, and implementing required changes
Common Exam Traps
Data Life Cycle Management
This domain covers managing personal data throughout its entire lifecycle — from collection through storage, use, sharing, and disposal. You need to understand data classification, inventory, consent management, data subject rights fulfillment, and secure data disposal. This is the second-largest domain at 23%.
Key Topics
Must-Know Concepts
- Data lifecycle stages: collection, storage, use/processing, sharing/disclosure, archival, and destruction/disposal — know privacy controls at each stage
- Data classification schemes: personal data, sensitive personal data (special categories under GDPR), PII, PHI, financial data — know how classification drives control requirements
- Data inventory and mapping: documenting all personal data assets, data flows, processing activities, storage locations, and third-party data sharing
- Consent management: collection mechanisms, preference centers, withdrawal processes, consent receipts, and age verification for children's data
- Data subject rights implementation: technical architecture for access requests, rectification, erasure, restriction, portability, and objection handling
- Data retention policies: defining retention periods based on legal requirements, business need, and data type. Implementing automated retention enforcement
- Data sharing controls: data sharing agreements, data use agreements, privacy-preserving data sharing techniques, and regulatory requirements for sharing
- Secure data disposal: methods (overwriting, degaussing, cryptographic erasure, physical destruction), verification requirements, and documentation
- Data quality management: accuracy, completeness, timeliness, and consistency of personal data throughout its lifecycle
Common Exam Traps
Privacy Engineering
The largest domain at 39% — expect roughly 47 questions on this topic. Covers technical implementation of privacy controls including infrastructure, encryption, access management, secure development, APIs, monitoring, anonymization techniques, PETs, AI/ML privacy, and cloud privacy architecture. Master this domain or you will not pass.
Key Topics
Must-Know Concepts
- Infrastructure and platform privacy: legacy systems vs cloud computing, shared responsibility model, data residency requirements, multi-tenancy privacy risks
- Encryption types and use cases: symmetric (AES), asymmetric (RSA, ECC), at rest, in transit (TLS), in use (homomorphic, secure enclaves). Key management and rotation
- Identity and access management: RBAC, ABAC, just-in-time access, privileged access management, single sign-on, multi-factor authentication — all applied to privacy use cases
- Anonymization techniques: k-anonymity, l-diversity, t-closeness, data masking, tokenization, generalization, suppression, and noise addition
- Pseudonymization implementation: tokenization systems, key management for re-identification, and separation of pseudonymization keys from data
- Privacy-enhancing technologies: differential privacy, homomorphic encryption, secure multi-party computation, federated learning, trusted execution environments, synthetic data
- Secure development lifecycle with privacy: threat modeling for privacy, privacy requirements in design, privacy testing, privacy code reviews, and privacy-aware CI/CD
- API security for privacy: authentication, authorization, rate limiting, input validation, output filtering, and API gateway privacy controls
- Network security for privacy: network segmentation, VPN, TLS configuration, DNS privacy, traffic analysis protection, and network monitoring with privacy preservation
- Monitoring and logging with privacy: privacy-preserving logging (minimizing PII in logs), audit trails, log retention, access logging, and anomaly detection
- Consent tagging and tracking technologies: technical implementation of consent preferences, cookie management systems, tracking pixel controls, and browser privacy features
- AI/ML privacy considerations: training data privacy, model privacy (preventing model inversion), inference privacy, federated learning, and responsible AI principles
- Cloud privacy architecture: data residency controls, cloud encryption (BYOK, HYOK), cloud access security brokers (CASB), and cloud DLP
Common Exam Traps
Concepts You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Exam-Ready Checklist
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.