it governanceCPIO Certification Programme

The Certified Personal Information Officer certification programme is developed specifically for those persons who are responsible for protecting the privacy rights of data subjects, compliance or encouraging compliance with the conditions for the lawful processing of personal information, dealing with requests made regarding the processing of personal information and working with the Information Regulator.

The CPIO certification is for all individuals who design, manage and oversee an enterprise’s use of personal information. While its central focus is the protection of personal information, it will be of value to anyone with responsibility for the processing of information. This certification promotes best practices and provides executive management with assurance that those with the designation CPIO are knowledgeable about the requirements for lawfully processing personal information.


Development/Description of the CPIO Exam

A CPIO committee oversees the development of the exam and ensures the relevance and currency of its content. Questions for the CPIO exam are developed through a comprehensive process designed to ensure the ultimate quality of the exam.

Job practice statements serve as the basis for the exam and are the knowledge and skill requirements to earn the CPIO certification. These job practice statements are periodically updated and consist of five domains. The domains and the accompanying tasks and knowledge statements were the result of extensive research and feedback from subject matter experts.

The tasks and knowledge statements describe the tasks performed by CPIOs and the knowledge required to perform these tasks. Exam candidates will be tested based on their practical knowledge associated with performing these tasks.

The current job practice analysis contains the following domains and percentages:

  • Legislation for the protection of personal information (20%)
  • Conditions for the lawful processing of personal Information (20%)
  • Privacy risk management (15%)
  • Generally accepted information security practices and procedures (25%)
  • Privacy management framework (20%)