ISACA Introduces CCPA Audit Program to Help Professionals Navigate the Complex Privacy Regulation Landscape

Schaumburg, Ill. (Aug. 5, 2020) — The California Consumer Protection Act (CCPA) went into effect just over six months ago, on 1 January 2020, but as enforcement just began on 1 July 2020, it is more important than ever for organizations to ensure they are adhering to the regulation and are able to thoroughly evaluate compliance. ISACA has launched its new CCPA Audit Program and the Privacy: Beyond Compliance white paper to equip audit and privacy professionals with the tools to comply with this regulation, as well as understand philosophies and approaches related to privacy.


The CCPA Audit Program covers core processes and subprocesses relevant to CCPA with two main goals in mind: 1) evaluating the design and operating effectiveness of the organization's practices and ongoing management of CCPA compliance and 2) identifying control weaknesses. The audit program also includes sections on data security and managing security incidents and data breaches. By following the detailed testing steps outlined in the accompanying program spreadsheet, auditors can help organizations mitigate business impacts through three key elements:


  • Strong data classification supporting identification and location of consumer data
  • Consistent private data methodology ensuring that third-party vendor handling of private data mirrors that of the entity
  • Agile project management and solid change management programs


"The expansive reach of the CCPA and scope of data it covers can make compliance feel daunting to many," says David Bowden, vice president, information security, data privacy, compliance and information technology at Zwift, and member of the ISACA Privacy Advisory Group. "Having a comprehensive audit program is an incredibly valuable tool for guiding through these intricacies, avoiding repercussions and assuring compliance."


To provide additional context, ISACA has also published Privacy: Beyond Compliance, a white paper that explores the current state of privacy as it relates to compliance, ethics and humanity. Delving into a range of considerations, including COVID-19 contact tracing and how enterprises can stay accountable for temporary privacy violations during a crisis, the publication also outlines eight key focus areas for boards of directors around privacy—including surveillance and tracking, privacy by design, and looking at data as a reflection of a person's life.


"Beyond complying with privacy regulations, today's privacy professionals should recognize the human impact of poor privacy practice, and augment their privacy strategies in response to a rapidly evolving global digital landscape," says Guy Pearce, lead developer for the white paper, and chief digital officer,


"This foundation equips organizations to perform their fiduciary duties to their customers, clients or citizens more ethically and more sustainably, benefiting not only those the organization serves, but also differentiating the organization as one that can be trusted because of what it does, not only because of what it says it does."


The CCPA Audit Program costs US$25 for members and US$49 for non-members and can be accessed here. The Privacy: Beyond Compliance white paper is available as a free download for all.


ISACA also recently introduced a certification for technical privacy professionals. Now in an early adoption phase, Certified Data Privacy Solutions Engineer (CDPSE) assesses a technology professional's ability to implement privacy by design. More information is available at Additionally, ISACA hosts a privacy discussion community at



For more than 50 years, ISACA ( has advanced the best in technology. ISACA equips individuals with knowledge, credentials, education and community to progress their careers and transform their organizations. Through the CSX, COBIT and CMMI solutions, ISACA enables enterprises to train and build quality teams. ISACA is a global professional association and learning organization that leverages the expertise of its 145,000 members who work in information and cybersecurity, governance, assurance, risk and privacy to drive innovation through technology. It has a presence in 188 countries, including more than 223 chapters worldwide.