Question 5 - IAPP CIPM Real Exam Questions [Feb 2026 Update]

Q: 5

All of the following are accurate regarding the use of technical security controls EXCEPT?

Options

Discussion

Luke M. Feb 1, 2026 11:44 pm

C or D, but most CIPM practice and the official guide mention privacy laws are tech-neutral so I'd pick C. Check some sample questions to see similar wording if you're unsure.

Emma I. Feb 17, 2026 5:56 pm

B tbh

Logan J. Feb 2, 2026 9:24 pm

Yeah saw a similar question show up-C

QuietLearner2763 Feb 12, 2026 10:44 pm

Option C makes the most sense to me, since privacy laws like GDPR usually don't list specific technical controls, just principles and requirements for appropriate measures. Pretty sure that's what they're getting at, but open to other views if I'm missing something.

SanjayN Feb 20, 2026 2:35 am

C/D? C is right, D's a distractor since you always need someone with security knowledge involved.

Riley C. Feb 5, 2026 9:35 am

Sara Y. Feb 2, 2026 10:47 am

B tbh. Some privacy laws have unique requirements, so just because controls work in one jurisdiction doesn't mean they're good for another. C feels like a trap, but B looks off to me.

Amelia U. Feb 19, 2026 1:48 pm

I don't think B is the outlier, C makes more sense. Privacy laws usually avoid listing particular technical controls, they're tech-neutral so orgs can adapt their approach. Pretty sure that's what they're getting at here, but open to other takes.

Ajay N. Feb 10, 2026 10:50 am

C, not B

Anita Y. Feb 5, 2026 3:33 am

I don't think it's C. I'd pick B here since just because one jurisdiction accepts certain technical controls, it doesn't guarantee another will. There's some overlap but laws differ a lot. Maybe I'm missing something though?

Be respectful. No spam.

Correct Answer:

Explanation

Most modern privacy legislation, such as the General Data Protection Regulation (GDPR), is intentionally principles-based and technology-neutral. These laws mandate that organizations implement "appropriate technical and organisational measures" to secure personal data, with appropriateness determined by a risk assessment. They deliberately avoid prescribing a specific list of required technical controls. This approach ensures the law remains relevant as technology evolves and allows organizations to select controls that are suitable for their specific processing activities, risks, and resources. While examples may be provided, they are not a mandatory, exhaustive list.

Why Incorrect

A. Technical security controls are a crucial component of a data governance strategy, as they are the mechanisms used to enforce policies for data protection and management.

B. Implementing security controls based on internationally recognized standards (e.g., ISO 27001, NIST CSF) often satisfies the security requirements of multiple jurisdictions' privacy laws.

D. The effective selection, implementation, and maintenance of technical security controls require specialized security knowledge to ensure they are configured correctly and adequately mitigate risks.

References

1. General Data Protection Regulation (EU) 2016/679

Article 32(1). The regulation states that controllers and processors shall implement "appropriate technical and organisational measures to ensure a level of security appropriate to the risk

" providing examples such as pseudonymisation and encryption

but not mandating them in all cases. This demonstrates the principles-based

non-prescriptive nature of the law regarding specific controls.

2. Densmore

R. (2019). Privacy Program Management: Tools for Managing Privacy Within Your Organization (3rd ed.). IAPP. In Chapter 5

"Protect

" the text explains that privacy laws require a risk-based approach to security. It emphasizes that "most laws do not prescribe specific security controls

" instead requiring measures that are "reasonable" or "appropriate" to the level of risk.

3. NIST. (2020). NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management

Version 1.0. The framework is designed to be "outcome-based

technology-agnostic

and adaptable to any organization" (p. 4). This supports the principle that modern privacy and security management relies on flexible

risk-based approaches rather than rigid

prescribed technical controls. (DOI: https://doi.org/10.6028/NIST.CSWP.1.0)

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE