If your next move involves stepping up from being a cyber team player to taking on greater decision-making responsibilities, project ownership, and leadership, CISM and CISSP both need to be on your radar as possible ways to validate your abilities.
With a CISSP vs CISM comparator, we’re talking about two of the most comprehensive and respected security certifications out there for moving into senior roles. And yes, there’s overlap in content, but there are also significant differences in focus, intended audience, and - crucially - the type of jobs each certification will equip you for.
So first and foremost, don’t fall into the trap of assuming the two certs are “pretty much the same.” Look through our CISM vs CISSP guide to decide which accreditation is the best fit for where you are now and where you want to go next.
What are CISM and CISSP Certifications?
Both CISSP and CISM can be classed as comprehensive cyber security certifications. By this, we mean they each include elements of the following:
- Strategy. Validating your ability to make the right decisions to manage the security of IT environments.
- Governance. Ensuring that your actions align with organization-specific policies, best practice frameworks, and any relevant regulatory standards.
- Technical knowledge. Establishing that you have the know-how to actually put security strategies and policies into practice.
CISM and CISSP are also vendor-neutral qualifications: i.e. rather than being linked to a specific service provider, they are designed to test your security management knowledge across various IT environments, both in the cloud and on-premise.
As you can see from the roadmap below, CISSP is a certification to focus on building up an advanced skill level in a broad range of security topics. CISM is a qualification to hone in on to boost your credentials in security governance.
Certified Information Security Management (CISM) is an advanced management certification from ISACA (Information Systems and Control Association), aimed at cyber professionals with several years of experience.
ISACA is a globally-recognized professional association committed to advancing digital trust: i.e. the ability of organizations to demonstrate to their users they can provide a secure and private digital environment.
The certification validates your ability to deploy and manage security programs - e.g. security controls, risk analysis, and incident response.
However, reflecting ISACA’s commitment to digital trust, there’s also a strong emphasis on governance: i.e. creating robust, auditable security strategies that will affirm your organization’s credibility in the eyes of customers and other stakeholders.
The Certified Information Systems Security Professional (CISSP) is an advanced accreditation from the International Information System Security Certification Consortium (ISC)2.
To understand the purpose and scope of CISSP, it’s worth thinking about the characteristics of a large organization with a growing IT estate:
- There are various categories of business digital assets in play (e.g. databases and applications), which all need to be secured and managed.
- Stakeholders need the ability to communicate and share information securely.
- People, devices, and services need to be authenticated to prevent unauthorized access.
- Security must be hardwired into any software or systems you develop in-house.
- You need the ability to monitor, identify and respond to any cyber threats across the entire organization.
- Security policies, standards, procedures, and guidelines need to be developed, communicated, and implemented.
CISSP is regarded as a truly comprehensive security management accreditation precisely because it covers ALL of these elements.
CISM and CISSP assessments both require you to sit a single, closed-book written exam. For CISM, you can take the exam at an in-person testing site or remotely via remote proctoring. The CISSP exam must be taken at a Pearson VUE testing center.
CISM Exam Details
The CISM assessment comprises a single knowledge-based, 4-hour, 150-question multiple-choice exam. The passing score is 450 out of 800.
The exam covers four content domains broken down as follows:
- Information Security Governance (17%)
- Information Security Risk Management (20%)
- Information Security Program (33%)
- Incident Management (30%)
CISSP Exam Details
The CISSP evaluation is a 4-hour exam comprising 125-175 questions. (ISC)2 uses a CAT (Computerized Adaptive Testing) format for CISSP. This means that the number, nature and difficulty of the questions you get are dynamically adjusted in real-time to reflect your answers to previous questions.
The questions consist of the following:
- 50 unscored items to aid with CAT benchmarking (these don’t count against your results).
- 75-125 scored questions. These are a combination of multiple-choice questions and what ISC(2) refers to as ‘advanced innovative items’ (e.g. dragging and dropping items into the correct sequence to illustrate a process flow).
CISSP exam content is divided into eight CISSP Common Body of Knowledge (CBK) domains weighted as follows:
- Security and Risk Management (15%)
- Asset Security (10%)
- Security Architecture and Engineering (13%)
- Communication and Network Security (13%)
- Identity and Access Management (13%)
- Security Assessment and Testing (12%)
- Security Operations (13%)
- Software Development Security (11%)
We’ve seen CISSP described as being “a mile wide and an inch deep.” This may sound disparaging, but it actually explains why the accreditation is so sought-after.
Most employers expect their senior employees to have solid, across-the-board know-how. In terms of sheer scope, from secure-by-design software development to cyber awareness communication strategies, CISSP helps you to demonstrate a good grounding in pretty much all aspects of infosec security.
By contrast, CISM delves more deeply into the principles of governance and risk management (essential for many senior infosec leadership roles). However, there’s much less coverage of the technical side of security management.
Both of these exams are designed for professionals with several years of experience in information security.
CISM Eligibility Requirements
To sit the CISM exam, you must have five years of verified experience in information security. At least three of those years need to have been spent in a minimum of three of the following broad practice areas (with one year or more in each):
- Information security management
- Information risk management
- Information security program development
- Information security governance
CISSP Eligibility Requirements
To claim the CISSP accreditation title, (ISC)2 requires candidates to have a minimum of five years of work experience in two or more of the eight CISSP CBK domains listed above.
Completing certain categories of college degrees or approved advanced certifications can reduce the work experience requirement by a maximum of one year in total. (ISC)2’s list of accepted certifications can be found here.
CISSP accreditation also requires you to be endorsed by an existing CISSP holder.
If you pass the exam without having the required work experience, you cannot describe yourself as a CISSP. You can, however, describe yourself as an “Associate of (ISC)2”. You have six years from passing the exam to earn the requisite work experience to claim the CISSP title.
ISACA and (ISC)2 take a similar approach here, as both require you to have a solid professional background before you are awarded these accreditations.
However, CISSP gives you slightly more leeway compared to CISM. First, you can partially reduce the five-year requirement with certain advanced qualifications under your belt. Secondly, (ISC)2 allows you to build up your requisite work experience through a significantly wider range of areas, including certain operational roles.
Neither of these exams is “easy.” They both require thorough familiarization with the subject areas and, ideally, plenty of exposure to practice tests. However, there are differences between the two.
CISM Exam Difficulty
As we’ve seen already, CISM has a much stronger focus on management and governance compared to CISSP. For instance, you’ll be expected to demonstrate your knowledge of what it takes to manage an infosec program, but with less emphasis on the operational detail of what this entails.
CISM also follows the traditional linear, multiple-choice model. There are no performance-based tasks involved. And crucially, you can skip tricky questions and go back to them at a later stage.
CISSP Exam Difficulty
As mentioned previously, (ISC)2 has adopted the CAT approach for CISSP. The computer selects the question for you as you go along, depending on how well you’ve done so far.
With each correct answer, CAT will present you with more difficult questions from that knowledge domain. As the questions become more difficult, each one is worth more points. If you can answer these increasingly complex answers correctly, it can result in the exam ending earlier with a passing grade.
Under the dynamic CAT system, question 100 is the crunch point. If it’s calculated that you are 95% likely to pass after that question, it will end the exam with a pass. If you’re assessed as 95% likely to fail, the exam will end with a failing grade.
If the likelihood of either a pass or fail is less than 95% at question 100, it will recalculate the odds after each question until question 150, when the exam will end regardless.
This isn’t a universally applicable verdict. In particular, if you prefer drilling into the operational detail but struggle with topline concepts linked to governance and risk management, you’re probably going to be more at home with CISSP than CISM.
On balance, however, we suspect that most people will find CISSP to be more of a challenge than CISM.
In terms of scope, CISSP covers a significantly wider range of topics than CISM: i.e. more content to learn. By contrast, CISM goes into greater depth into a narrower range of content domains, with interrelated concepts building upon each other.
The exam format is the other big differentiator. CISM’s traditional multiple-choice format is familiar - and for most people at least - familiarity helps build confidence. Also, if you’re the type of person who likes to go through an exam and answer the easy questions first before finishing on the ones you’re less comfortable with, CISSP’s format might take some getting used to.
Which of these security qualifications will be most useful for increasing your employability and promotion prospects? To analyze this, we’ve looked at the range of job roles where each certification is cited, the number of openings available, and the salary level that each one tends to attract.
This is based on current job openings advertised through Indeed in the United States.
Range of Job Roles
Typical roles that stipulate CISM as required or desired:
- Chief Information Security Officer
- Information Security Manager
- Infosec Operations Center Manager
- IT Audit Lead
- IT Security Analyst
- Threat Intelligence and Security Operations Manager
- Governance, Risk, and Compliance Lead
- Security Operations Administrator
- Compliance Assurance Advisor
Typical roles that stipulate CISM as required or desired:
- IT Security / Cyber Security Analyst
- Chief Information Security Officer
- Chief Information Officer
- IT Manager/Director
- Senior IT Desktop Specialist
- Cyber Incident Response Coordinator
- Security Architect
- Network Architect
- InfoSec Risk Specialist
- Lead Infosec Systems Engineer
- Security Auditor
- Cyber Security Consultant
Volume of opportunities
This is assessed based on the number of US job postings where the accreditation is referred to:
- Number of jobs citing CISM - 3,383
- Number of jobs citing CISSP - 10,909
It would be inaccurate to state that one of these certifications commands a higher salary than the other.
As detailed above, job adverts mention CISSP more frequently than CISM. This is because it tends to be specifically listed more often for mid-level roles with a strong technical emphasis (e.g. Network Engineer and Security Architect). According to Zip Recruiter, the average pay for a CISSP job in the US is $125,470.
You will likely find CISM mentioned in senior management roles (i.e. those jobs attracting salaries in excess of $150k). However, it often appears alongside CISSP as an example of an “appropriate professional certification” the employer would like to see. This tells us the CISSP also qualifies you for many senior management roles, much like CISM. This is despite CISSP not being a “management certification,” but an advanced technical one.
This advert for an Information Technology Audit Senior Manager provides an illustration of this…
CISM helps demonstrate that you have a thorough understanding of what it takes to manage security in the context of the wider operational, governance, and compliance concerns of the organization you work for. This will undoubtedly strengthen your credentials when applying for many lucrative leadership roles.
However, once again, CISSP’s sheer breadth puts it on top in the employability stakes. Compared to CISM, it is more frequently cited in a much wider range of mid-level and senior technical roles.
But think carefully about your next move. If the jobs you intend to go for will be focused squarely on governance and formulating strategy, CISM is a possible winner. If there will be a much more balanced blend of strategy, operations, and technical know-how, then CISSP is almost certainly the more useful certification to aim for.
Cost and Recertification
CISM costs $575 for existing ISACA members and $760 for non-members. You must also pay a $50 application processing fee to get your certification after passing.
To maintain your CISM certification, you must complete 20 continuing professional education credits annually in line with ISACA’s CPE Guidelines.
For CISSP, the exam cost is $749. Maintaining the CISSP accreditation requires a payment of a $125 membership per year.
The CISSP certification is valid for three years, after which it must be renewed either by retaking the exam or earning (ISC)2 Continuing Professional Education (CPE) credits. There are specific guidelines on what constitutes these credits, but they broadly consist of taking other related courses, earning additional accreditations, speaking at conferences, publishing, and attending industry events.
Of the two certifications, CISSP is more expensive to gain and has more exacting upkeep requirements.
CISM vs CISSP: What’s Better?
(ISC)2 bills CISSP as "the world’s premier cyber security certificate”, and in many respects, it’s hard to argue against this claim.
With CISSP, we’re talking about the closest thing the security industry has to a certification standard: it’s universally recognized, well-respected, and is stipulated as desired or required in a much wider range of roles compared to CISM.
We’re putting CISSP out on top. But that’s not to say you should overlook the potential value of CISM in enhancing your employability. Here’s one particularly topical reason why…
Governance is a hot topic with organizations right now: It’s the “G” pillar in the ESG (Environmental, Social, and Governance) frameworks that an increasing number of companies are seeking to adopt. Good governance means that rather than tackling risks - including security - in an ad-hoc way, you have solid, transparent, and auditable frameworks in place to address them.
CISM addresses governance and risk management principles and practices in considerably more detail than CISSP. So particularly if you have CISM under your belt alongside CISSP, it shows that you take these topline strategy elements of security management seriously, which could help give you a valuable edge in today’s jobs market.
Remember that with the right pre-exam prep, you can take the CISSP exam without any work experience. You then have six years to complete the requisite industry experience. After that, you officially submit your endorsement to become an official CISSP, and you can then start using those letters after your name.
You could then start preparing for your CISM shortly afterward, as there is considerable overlap between content for both exams.
Ready to start boosting your credentials? View our complete CISSP and CISM course bundles below.