ISACA · CDPSE
Validates the technical skills and knowledge to assess, build and implement comprehensive data privacy measures across privacy governance, risk management, data lifecycle, and privacy engineering.
Questions
749
Duration
210 minutes
Passing Score
450/800
Difficulty
ProfessionalLast Updated
Jan 2026
Use this CDPSE practice exam to prepare for Certified Data Privacy Solutions Engineer (CDPSE) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 749 questions for ISACA CDPSE, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as Privacy Governance, Privacy Risk Management and Compliance, Data Life Cycle Management, and Privacy Engineering. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Certified Data Privacy Solutions Engineer (CDPSE) is a globally recognized, experience-based technical certification awarded by ISACA that validates the skills required to assess, build, and implement comprehensive data privacy measures. Unlike policy-focused privacy credentials, CDPSE is specifically designed for technology professionals who translate privacy requirements into working technical solutions — implementing privacy by design across systems, networks, and applications. The certification covers four core domains: Privacy Governance, Privacy Risk Management and Compliance, Data Life Cycle Management, and Privacy Engineering, with particular emphasis on technical implementation areas such as encryption, anonymization, identity and access management, and privacy-enhancing technologies (PETs).
First introduced by ISACA, the CDPSE has grown to more than 16,000 credential holders worldwide and was updated with a revised Body of Knowledge taking effect in April 2025, reflecting evolving regulations such as GDPR and CCPA, emerging AI/ML privacy challenges, and modern infrastructure requirements. The certification demonstrates that holders can not only understand privacy frameworks but engineer privacy controls into real-world technology platforms and data pipelines.
CDPSE is intended for mid-to-senior level technology professionals who are actively involved in building and implementing privacy solutions rather than defining policy. Relevant job roles include Privacy Engineers, Data Protection Engineers, Security Architects, Cloud Engineers, DevOps professionals with privacy responsibilities, IT Risk Managers, and Compliance Technologists. Professionals working in environments subject to GDPR, CCPA, HIPAA, or other data protection regulations will find particular value in this credential.
Candidates are expected to have a minimum of three years of cumulative work experience performing CDPSE job practice tasks within the ten-year period preceding their application. The exam itself is open to anyone, including those who have not yet met the experience threshold, but full certification requires verified professional experience submitted through an ISACA account within five years of passing the exam.
There are no formal educational prerequisites to sit for the CDPSE exam. However, ISACA recommends that candidates have at least three years of hands-on experience in roles involving privacy technology implementation, data governance, risk management, or security engineering. This experience must be directly tied to the four CDPSE job practice domains and verifiable by a supervisor or manager.
A solid foundational understanding of networking, cloud infrastructure, application development, and information security is strongly recommended before attempting the exam. Familiarity with major privacy regulations (GDPR, CCPA), Privacy Impact Assessments (PIAs), data classification methodologies, encryption standards, and identity and access management concepts will be essential. Professionals who already hold ISACA certifications such as CISA or CISM, or industry credentials such as CISSP or CIPP, will find significant content overlap and may require less preparation time.
The CDPSE exam consists of 120 multiple-choice questions, each with a single best answer, to be completed within 210 minutes (3.5 hours). Questions are scenario-based and assess applied knowledge rather than rote memorization, requiring candidates to evaluate real-world privacy engineering situations. The exam is scored on a scale of 200 to 800, with a passing score of 450. ISACA uses scaled scoring to account for variation in difficulty across exam versions.
The exam is delivered as a computer-based test and is available at authorized PSI testing centers worldwide or via remote proctoring, allowing candidates to test from their own location. Registration is open on a continuous basis, and testing appointments can be scheduled as early as 48 hours after fee payment. The exam is available in English, Chinese Simplified, Spanish, and German. Candidates who do not pass may retake the exam up to four times within a rolling 12-month period, with each attempt requiring full payment of the exam fee ($575 for ISACA members, $760 for non-members).
CDPSE-certified professionals are positioned at the intersection of two high-demand fields — cybersecurity and data privacy — making them highly sought after as organizations scale their compliance programs to meet GDPR, CCPA, and other global regulations. Common roles for credential holders include Privacy Engineer, Data Protection Officer (technical track), Security Architect, Cloud Privacy Specialist, and IT Risk Analyst with privacy focus. ISACA data indicates that the average annual salary for CDPSE holders in the United States exceeds $150,000, ranking it among the top-paid certifications in information security. More than half of credential holders report applying CDPSE skills daily, and 42% report measurable productivity gains attributable to the certification.
Compared to policy-oriented privacy credentials such as the IAPP's CIPP or CIPM, CDPSE occupies a distinct technical niche, making it the preferred credential for engineers and architects rather than privacy counsel or compliance officers. For professionals who already hold CISA, CISM, or CISSP, CDPSE adds a specialized privacy engineering layer that complements broader security governance credentials. With more than 16,000 holders globally and growing regulatory pressure across industries including healthcare, finance, and technology, demand for CDPSE-qualified professionals continues to increase.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 749 questions.
Preview — answers shown1. An international e-commerce company is implementing Hoepman's eight privacy design strategies for a new recommendation engine. The architecture must prevent the creation of complete user profiles while still providing personalized product suggestions. The privacy engineer needs to apply data-oriented strategies that distribute processing to prevent comprehensive profiling. Which two data-oriented strategies should be prioritized? (Select two!)
Multiple correct answersExplanation
SEPARATE and AGGREGATE are the data-oriented strategies that directly prevent complete profile creation through technical architecture. SEPARATE distributes processing and storage across systems so no single component holds complete user profiles, using techniques like data partitioning or processing data in isolated contexts. AGGREGATE processes data at higher abstraction levels using statistical summaries rather than individual records, preventing detailed profiling while enabling recommendations. MINIMIZE is important but doesn't specifically address preventing profile aggregation. CONTROL is a process-oriented strategy focused on user empowerment rather than architectural data distribution. DEMONSTRATE is process-oriented, proving compliance rather than technically preventing profiling. The combination of separating data storage and processing data in aggregate form creates architectural barriers against comprehensive profiling while maintaining recommendation functionality.
2. A privacy engineer at a global media company is implementing the AICPA/CICA Privacy Maturity Model. The organization currently has documented privacy procedures that are consistently followed, conducts quarterly privacy effectiveness reviews with metrics tracking, and has implemented a feedback loop where privacy incidents trigger automatic procedure updates. Senior management receives monthly privacy dashboards with trend analysis. At which maturity level does this organization operate? (Select one!)
Explanation
Level 5 Optimized is correct because the organization demonstrates continuous improvement through automated feedback loops where incidents trigger procedure updates, combined with trend analysis and regular effectiveness reviews. This represents the highest maturity level with proactive adaptation. Level 2 Repeatable only requires procedures to exist but allows incomplete documentation. Level 3 Defined requires full documentation and implementation but not effectiveness measurement. Level 4 Managed requires regular effectiveness reviews but does not include the continuous improvement and automated feedback mechanisms that characterize Level 5 Optimized.
3. A privacy engineer at a cloud storage provider must implement encryption to protect customer files at rest, in transit, and in use. The organization handles highly sensitive intellectual property and regulatory compliance data. The solution must prevent the cloud provider's administrators and the underlying hypervisor from accessing plaintext data during processing. Which encryption implementation provides protection for data in use while preventing host OS and hypervisor access? (Select one!)
Explanation
Trusted Execution Environments (TEEs) like Intel SGX (Software Guard Extensions) or AMD SEV (Secure Encrypted Virtualization) provide hardware-isolated execution that protects code and data during processing from the host OS, hypervisor, and physical access. TEEs create encrypted enclaves where data can be processed in plaintext while remaining protected from all other system components. AES-256 at rest and TLS 1.3 in transit protect data in those states but do not protect data during active processing. Column-level database encryption protects stored data but data must be decrypted for processing, leaving it vulnerable during use. Full-disk encryption using BitLocker protects data at rest on the disk but provides no protection once the system boots and data is loaded into memory for processing.
4. A European media company is implementing a Consent Management Platform using IAB Transparency and Consent Framework version 2.2 to comply with GDPR requirements. The platform will process user data for multiple purposes including storing cookies, displaying basic non-personalized advertisements, creating personalized advertising profiles, selecting personalized ads, and measuring ad performance. The privacy engineering team needs to determine which purposes require explicit user consent versus which purposes allow legitimate interest as a legal basis under TCF 2.2 specifications. Which statement correctly describes TCF 2.2 legal basis requirements? (Select one!)
Explanation
IAB TCF 2.2 made a critical change from version 2.1 by removing legitimate interest as an acceptable legal basis for advertising and content personalization purposes. Purpose 1 for storing and accessing information on a device has always required consent as the sole legal basis. The major TCF 2.2 update deprecated legitimate interest for Purposes 3, 4, 5, and 6 which cover creating personalized ads profiles, selecting personalized ads, creating personalized content profiles, and selecting personalized content. These four purposes now require consent only. Purpose 2 for selecting basic ads, along with Purposes 7 through 11 covering measurement, market research, product development, and security, continue to allow vendors to rely on either consent or legitimate interest. This change reflects regulatory guidance that personalized advertising and profiling activities require the higher standard of explicit consent rather than relying on legitimate interest balancing tests.
5. A financial services company is designing an access control system for a cloud-based loan processing application. Access decisions must consider multiple factors: user attributes (job title, department, clearance level), resource attributes (loan amount, data classification), action attributes (view, edit, approve), and environmental attributes (time of access, location, device security posture). The system must support dynamic, fine-grained authorization policies. Which access control model best meets these requirements? (Select one!)
Explanation
Attribute-Based Access Control using XACML provides the dynamic, context-aware, fine-grained authorization needed for this scenario. XACML can evaluate user, resource, action, and environmental attributes simultaneously in policy decisions. Role-Based Access Control is static and role-level, unable to incorporate contextual factors like time, location, and device posture. Discretionary Access Control uses access control lists managed by resource owners, lacking the dynamic policy evaluation required. Mandatory Access Control uses security labels and clearance levels but does not support the rich contextual evaluation needed for this use case.
Certified Information Security Manager (CISM)
CISM · 1196 questions
Certified Information Systems Auditor (CISA)
CISA · 895 questions
Certified in Risk and Information Systems Control (CRISC)
CRISC · 761 questions
IoT Fundamentals Certificate
IoT-Fund · 630 questions
IT Audit Fundamentals Certificate
IT-Audit-Fund · 627 questions
IT Risk Fundamentals Certificate
Risk-Fund · 616 questions
$17.99
One-time access to this exam