ISACA CDPSE domain 1: Privacy governance

Graeme Messina
September 16, 2021 by
Graeme Messina

This article covers the first domain in ISACA’s Certified Data Privacy Solutions Engineer (CDPSE) certification. You’ll learn the detailed objectives in the privacy governance domain and how to use these skills to forge a path in your data privacy career. 

We cover some of the basics as well as some ways you might use these skills on the job. There are many different aspects to consider, but we will start by asking the primary question.

Free ISACA Career Kit

Free ISACA Career Kit

ISACA certification holders are among the highest-paid in the industry, with average salaries ranging from $103,000 to $133,000, according to Payscale. Earn one of the highest-paying certifications in the industry.

What is privacy governance?

We often hear the term “privacy governance” used in relation to CDPSE, but what is it? Put simply, privacy governance is the skill set required by individuals and organizations to effectively manage all aspects of privacy within a business or organization. 

These skills allow companies to develop and understand privacy policies, privacy programs, legal requirements and regulatory requirements for specific markets.

Without privacy governance, it is almost impossible to conduct any meaningful business without falling afoul of regulations and laws in different regions throughout the world. Privacy governance also helps ensure industry best practices are followed as it relates to sensitive information and procedures.

How will privacy governance help my career?

Privacy governance is a vital skill set for most industries that wish to operate in today’s highly regulated markets. Many different sectors need to manage and maintain privacy policies, procedures and records. These organizations often span different geographical regions, making employment in many locations a reality when one possesses these skills.

Other aspects of privacy governance lend themselves to desirable skills such as evaluating contracts and service level agreements and crafting procedures of vendors and service providers. If you are looking for exposure to services such as provider procurement within a company, you will find that the skills required to maintain privacy through privacy governance will help. 

These skills combine with similar administrative tasks that require high levels of confidentiality and privacy, making certified privacy governance candidates highly sought after. 

What is covered in CDPSE domain 1?

There are many items to cover in this domain. The key takeaway is that privacy governance also relies on governance, management and risk management functions to be effective. 

You should be able to:

    • Identify privacy requirements, both internal and external: A governance and risk management program or practice defines an organization's governance and risk management practices.
    • Evaluate privacy policies, programs and practices: Regulatory requirements, legal requirements and industry best practices dictate this.
    • Coordination and execution of privacy impact assessments (PIA): This and other privacy-focused assessments are covered in detail within this domain.
    • Participate in the development of procedures: These procedures will align with the organization’s specified privacy procedures and policies. The aim is to ensure that candidates can demonstrate their understanding and application of privacy policies and laws.
  • Follow privacy policies when implementing procedures: The technical best practices of a technology also need to align with its privacy measures. This means that privacy governance has to be considered well in advance of a project’s planning stages.
  • Manage and evaluate vendor contracts, service levels, and practices.
  • Assist in the management of privacy incidents: You can position yourself as a subject matter expert when assisting other departments that may lack the overall privacy governance expertise that this certification offers.
  • Assess security risks and mitigate them in collaboration with cybersecurity personnel: To the uninitiated, minor privacy breaches might not seem like a problem compared with maintaining daily operations. However, minor incidents can lead to license revocations, market closures and massive fines.

    • Assist collaboratively in designing, developing and implementing systems, apps and infrastructure items. This ensures privacy policies and best practices can be established.
  • Establish a process for prioritizing privacy practices: Learn how to decide which policies need to be implemented immediately and rank order them appropriately before implementation.
  • Measure and report privacy performance metrics and trends: To determine how successful a policy is, you need to measure it. There are many different ways of accomplishing this, and key metrics need to be considered when implementing any meaningful reporting.
  • Inform relevant stakeholders with status reports as well outcomes regarding privacy programs and procedures.
  • Promote privacy practices by participating in training and educating employees.
  • Identify process improvement opportunities and issues that require remediation.

Communication plays a significant role in this field. Collaboration and training are all essential if privacy governance is to work effectively in a company. Interdepartmental collaboration is one of the key areas where privacy governance must be adopted; otherwise, it is almost impossible to manage privacy properly.

Equally important is the measuring and reporting aspect of this domain. There has to be some form of measurement to properly gauge how a set of procedures is being followed. This makes it far easier to communicate progress to management and allows decision-makers to properly implement your recommendations based on accurate information.

All of these abilities combine to create a skill set that is in high demand. Privacy governance is becoming more desirable in fast-moving organizations that need to hit the ground running in new markets without being slowed down by unexpected red tape and regulations.

These skills also prove invaluable for companies that risk breaching punitive regulations such as GDPR, which can inflict heavy financial and reputational damage on organizations that fail to comply.

Why does ISACA see these topics as being important?

The future of organizations depends on their ability to properly understand and interact with privacy policies and procedures. Privacy governance capacity has to be established to leverage that power effectively.

This means that organizations with the right skilled individuals can quickly adapt to changing environments where privacy is necessary to continue operations. 

Learning valuable collaboration techniques also helps prevent disparate teams from forming, leading to increased difficulty in implementing steps in different departments of an organization. Teams need to seamlessly interact with one another to fully understand the impact that privacy governance changes will make with regard to their operations.

Free ISACA Career Kit

Free ISACA Career Kit

ISACA certification holders are among the highest-paid in the industry, with average salaries ranging from $103,000 to $133,000, according to Payscale. Earn one of the highest-paying certifications in the industry.


Privacy governance makes up just over one-third of the ISACA CDPSE domains, so candidates must understand the requirements that have been set out in CDPSE domain 1. Domain 1 plays in concert with privacy architecture and the data lifecycle, covered in later domains. CDPSE domain 1 offers exciting opportunities for you to further understand techniques for implementing awareness and training within an organization. 

The collaborative and procedural nature of these skills will be helpful in other domains within the business. All of these factors add up to create a highly desirable certification that adds value to the organization in many different aspects.



Graeme Messina
Graeme Messina

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.