Free Assessment Take the FREE eight question survey to assess your third party risk management program.
Start Survey

Trailblazing Your Path To Optimal Cyber Risk

Login Ready to talk?

Privacy Program Management CIPM Textbook Updates – Part II

CYRVANA Admin
February 20th, 2025
Table of Contents

An Overview Of Changes In The 3rd Edition Of The Privacy Program Management Textbook

The previous post introduced the new structure of the CIPM textbook at the chapter level. In this post the specific additions and adjustments in each of the chapters of the textbook are elaborated. Below is the chapter organization comparison as a recap:

General Updates

General updates include additional discussions/content added and new statistical data where new reports are available (Poneman, IAPP-EY Governance Report, Verizon Report, Wombat, etc.). New references were added that were largely removed in the last edition. As mentioned in the previous post, the chapters were reorganized to better support the BOK and privacy operational life cycle content. In some areas content was consolidated.

Chapter 1 - Introduction to Privacy Program Management

The section 1.6 - "Awareness, Alignment and Involvement" was renamed to "Championing Privacy".

Chapter 2 - Privacy Governance

The section 2.1 Create an Organizational Privacy Vision and Mission Statement, has new examples for vision and mission statements.

Sections 2.3 through 2.6 have been reshuffled. 2.3 is now "Develop a Privacy Strategy", which was section 2.6 in the 2nd edition. The smaller section 2.7 Structure the Privacy Team, and section 2.8 Governance Models were merged into one consolidated section 2.7. The following pictures depicts the changes in chapter 2.

2.4.3 Privacy Program Management Solutions which introduces the Privacy by Design (PbD) concept is now included in the 2.5.1 Principles and Standards section.

Chapter 3 - Applicable Privacy Laws and Regulations

References of new privacy regulations around the world added throughout the book where appropriate including LGPD, CCPA, CPRA, Colorado, Nevada, Canada, Latin America (LGPD), East Asia (including China, South Korea, Japan, Malaysia, Singapore, and Thailand), New Zealand and Australia.

The section "3.4 Commonalities of International Privacy Laws" has been removed but it is ideal to know the commonalities between each of these major laws. For instance, requirements for ensuring individual rights (i.e., access, correction and deletion), and obligations are common.

Chapter 4 - Data Assessments

Chapter 4 has three major additions - 4.1 Data Governance, 4.4.6 Assessing Artificial Intelligence, 4.6.1 Assessing Cloud Computing Vendors, and 4.6.3 Assessing Vendors under the CCPA. All these new additions are relevent to the changing privacy landscape.

Chapter 5 - Protecting Personal Information

This was the chapter 8 in the old version and covers the privacy by design concept. Under the section "5.4.4 Information Security Standards and Guidelines", a list of NIST Guidelines were included in addition to the ISO standards that were previously there. No other major additions were made except for minor expansions to few sub-sections.

Chapter 6 - Policies

As discussed earlier, this chapter 5 in the 2nd edition is now chapter 6. As with other chapters, content was expanded in some sections with additional references. The sections 6.7.2 Developing a Vendor Contract, and 6.7.3 Vendor Risk Management now have additional content.

Chapter 7 - Monitoring and Auditing Program Performance

No major changes were made to this chapter. A new sub section 7.2.14 Training Data was added that discusses the importance of gathering data to boost employee engagement.

Chapter 8 - Training and Awareness

The chapter includes some additional content but notably revised the methods listed in section 8.8 Training and Awareness Methods.

Chapter 9 - Data Subject Rights

Sections on the CCPA, and Virginia's CDPA and other recently enacted privacy laws have been included. These are sections 9.4.2.5 and 9.4.2.6 respectively. Section 9.5.7 Right to Restriction of Processing and section 9.5.8 Right to Data Portability has new content referencing GDPR articles. "Section 9.8.1 Data Subject Rights Outside the United States and Europe" has been expanded to cover additional country specific changes that occurred in the recent times.

Chapter 10 - Data Breach Incident Plans

This probably is the chapter with least number of changes overall.

Summary

Our team at Cyrvana created a two page document that provides and overview of the CIPM content. Many of our trainees find it very helpful and we call it "CIPM On A Page" (well two pages actually!). Please download it and good luck with your CIPM exam!

Privacy
CYRVANA Admin
Admin
Related Post

Similar Post

Cyrvana Signs A Partnership Agreement With PECB
Readmore
Lessons from the SANS Phishing Attack: Key Takeaways for Effective Incident Response
Readmore
Book Review - Why Privacy Matters
Readmore
Contact Us

© 2025 All Rights Reserved. CYRVANA® is a registered trademark of Cyrvana Inc. All other trademarks, service marks, and logos used on this site are the property of their respective owners. The use of customer and partner logos does not imply endorsement by or affiliation with Cyrvana.