CDPSE certification: Requirements, exam, and cost

What is the CDPSE certification?

The Certified Data Privacy Solutions Engineer (CDPSE) certification focuses on the implementation of privacy solutions, from both a technical and governance perspective. It is offered by ISACA, a nonprofit professional association focused on IT governance with a number of certifications in its stable, including CISM.

CDPSE is one of the newest certs on the market: it was launched in May 2020, and initially had no exam requirement for early adopters, although by late 2021 that was no longer the case. The organization rolled out the new certification because of what they perceived as a gap in the industry landscape. “Modern privacy laws and regulations require organizations to implement privacy by design and by default into IT systems, networks, and applications,” says Kim Cohen, ISACA Senior Director of Credentialing. “To do so, privacy professionals must partner with software developers, system and network engineers, application and database administrators, and project managers to build data protection and information security measures into new and existing data processing environments. We designed the CDPSE certification to promote privacy-enhanced design that works cross-functionally with legal, policy, DBAs, engineers, software developers, and back-end and front-end experts.”

That’s a certainly a broad mandate. Let’s take a look at the topics a CDPSE certification covers and then dive into the specifics of how you can earn this credential and how that might affect your career.

CDPSE work-related domains

Overall, a CDPSE certification is meant to demonstrate expertise in three main areas, which ISACA refers to as work-related domains:

• Privacy governance, which includes governance, management, and risk management
• Privacy architecture, which includes infrastructure, applications and software, and technical privacy controls
• Data lifecycle, which includes data purpose and data persistence

ISACA breaks down what’s covered under each of these domains in more detail on their website.

Matt Stamper is the CISO and executive advisor at Evotek, and the ISACA San Diego Chapter president. He was one of the early CDPSE holders and was particularly impressed by the broad base of knowledge these domains represent. “I think the CDPSE by its design is fundamentally designed to have a multidisciplinary and broad perspective,” he says. “What’s good about the CDPSE, is that it looks at that lifecycle and understands the architecture around it. It also pulls in governance practices as well—things like doing your data privacy impact assessments and third-party vendor reviews.”

CDPSE certification requirements

There are three steps you need to take in order to attain CDPSE certification:

• Pass the CDPSE exam
• Adhere to the ISACA Code of Professional Ethics
• Demonstrate the required minimum work experience

We’ll dive into the exam in more detail in the next section, but let’s pause here for a moment to discuss those work requirements. As noted, CDPSE is intended as a relatively high-level cert, so its holders have to show that they have real-world experience, not just book smarts. To that end, in order to be certified, you need to have at least three years of experience in “the implementation of technical privacy by design solutions, control or security work.” This experience should dovetail with the CDPSE work-related domains we discussed in the previous section.

To ensure that you’re at least relatively current on industry trends, you will need to have accrued this experience over the 10 years before you apply for the credential. If you don’t yet have the requisite years of experience and are itching to take the exam, that’s OK too: you can apply up to five years after you pass the test. (In fact, you can’t formally apply for the credential until you pass the exam.) This application is where you document your work experience, and the application fee is $50.

Once your CDPSE application has been accepted, you need to adhere to ISACA’s Continuing Professional Education (CPE) program to maintain it. That means taking at least 20 hours of CPE training over each three-year reporting period after you’ve attained the credential. For more information on how you can meet this requirement, download the CDPSE CPE Policy (it’s a PDF) from ISACA.

CDPSE exam

Still, as is true for most certifications, the exam is the heart of the CDPSE certification experience. The exam lasts three and a half hours and consists of 120 multiple-choice questions. The exam covers the three CDPSE work-related domains in the following proportions:

• Privacy governance: 34%
• Privacy architecture: 36%
• Data lifecycle: 30%

You can take it either at a PSI Exam Site or as an online proctored exam from your home; in the latter scenario, a proctor will be watching you through your webcam, so be warned if you find that a little off-putting.

For more details, check out ISACA’s exam candidate guide and scheduling guide, as well as information on special accommodations.

If you’d like to get a sense of what the CDPSE exam is like, there are sample exam questions that will give you a taste. ISACA has a ten-question practice quiz, and Edsum has a similar short set of sample questions available for free. You can also pay to take a full-length practice exam.

What does CDPSE cost?

ISACA has a pretty thorough breakdown of the costs associated with getting CDPSE certified, but the basics are as follows:

• First up is the exam fee, which is $575 for ISACA members and $760 for non-members. (ISACA membership dues are $135, so if you’re planning on taking one of their certification exams this year, you will come out ahead from the get-go.) You have a year to take the exam after registering to do so, but you will not be refunded if you don’t take it in time.
• Once you’ve passed the exam, you must formally apply to be CDPSE certified; the fee for this application is $50.
• Subsequently, you must pay an annual maintenance fee to remain in good standing with your certification. This fee is $45 for members and $85 for nonmembers.

CDPSE books and training

ISACA has an official CDPSE Review Manual that it makes available as an ebook or print volume, in English, Turkish, and Simplified Chinese, that costs $105 for members and $135 for non-members.

Because the CDPSE is such a new credential, the usual ecosystem of third-party books, study guides, and review material hasn’t matured just yet. But the highly rated All-In-One Exam Guide series managed to stay ahead of the game by putting out its first edition of its CDPSE guide in 2021.

Looking for more formal training beyond a study guide? ISACA offers an online CDPSE review course that costs $795 for members and $895 for non-members. And there’s a wide variety of third-party training courses available as well, ranging from a $13.99 Udemy exam prep course to LearningTree’s $3,600 4-day instructor-led training. Other training courses are available from InfosecTrain, the Infosec Institute, and more.   

CDPSE jobs: Who is CDPSE for?

ISACA sees CDPSE as a certification that will be pursued by people in or interested in a number of job roles, including:

• Consultants
• Data analysts
• Data scientists
• IT project manager
• Privacy advisor/manager
• Privacy analyst/engineer
• Privacy solutions architect
• Software engineer

But just as privacy is important in nearly every part of the modern enterprise, so too is a privacy-focused cert like CDPSE a feather in the cap of just about anyone whose job involves handling data—and that transcends the usual job silos. “If I’m hiring somebody that has the CDPSE, that individual has a fairly extensive body of knowledge,” says Evotek’s Stamper. “It’s not just legal, it’s not just IT, it’s not just governance, it’s not just security. It’s an amalgam of all those various domains and disciplines.”

CDPSE salary: Is CDPSE worth it?

Certifications like CDPSE aren’t easy—or cheap—to get, and many people who pursue them do it specifically to boost their earnings. That said, anyone telling you that a particular certification guarantees a certain salary is trying to sell you something (probably a certification). Because CDPSE is such a new cert, data on the earning power of its holders is particularly hard to come by. Writing for the Infosec Institute, Greg Belding estimates that CDPSE holders working in data privacy can expect to make around $150,000 a year, but he admits that’s mostly an educated guess. 

That said, CDPSE holders can reasonably expect that the certification will help them stand out from the pack, if nothing else—and that can lead to lucrative opportunities. Lisa McKee, senior manager, security and data privacy at the consultancy Protiviti, explains her thinking on the subject. “Our clients expect and, in some cases, require industry experts on their projects,” she says. “Certifications are one way of demonstrating the strength of skills, knowledge, and talent of our Protiviti team. Privacy involves knowledge with both the legal requirements and a technical skillset to implement them. That is where having the CDPSE certification is beneficial.”

“It takes someone with the technical skills of data collection, systems, and applications to satisfy our client’s obligations,” she continues. “Legal teams most often do not require the technical skills needed to know how data is collected from an individual, where it is stored in systems, how to retrieve that data and package it in a user-friendly digestible format for consumers. That is the role and benefit having CDPSE-certified individuals with the firm—and what makes their role unique and highly in demand.”