There are numerous cybersecurity certifications, but two of the most honored are the CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager). What utmost people want to know, still, is “which one is better?” In this blog post, we will answer that, along with other questions like “which one costs further?”, “what are the conditions for each course?” and “which one will get me the best job!?”
But before jumping to the differences, let us point out a couple of parallels between the courses. Both CISM vs CISSP are seller-neutral and offered by independent, non-profit associations. They draw on the most current knowledge in the industry to give deep, comprehensive training in understanding and responding to information security pitfalls. Also, if you’re from the government seeking these certifications, both meet the rigorous conditions of the U.S. Department of Defense (DoD) Directive 8570. Also, both courses ranked largely in our check of information security professionals about the best cyber security certifications in 2022.
Let’s get one thing out of the way – both CISM vs CISSP certifications aren’t for IT newcomers. Both are largely sought-after across the infosec industry and are known for their strict set of prerequisites similar to a specific quantum of work experience; both are tested against a standard body of knowledge and; bear CPE (Continuing Professional Education) credits for the continued certification. Offered by ISACA (Information Systems Audit and Control Association), CISM is an advanced certification that indicates that an individual possesses the knowledge and experience needed to develop and manage an enterprise information security program. It also emphasizes the relationship between information security and the business pretensions of the enterprise.
CISSP is also an advanced certification but is handed by (ISC)2. It’s ideal for educated security interpreters, directors, and directors interested in proving their knowledge in the field. The certification focuses on the operations side of information security and trouble response. In simpler terms, CISM certification is solely management-focused, while CISSP is both technical and managerial and designed for security leaders who design, engineer, implement and manage the overall security posture of an organization. Now let’s take a look at each one in detail.
CISM vs CISSP– Requirements
To come eligible in getting certified as a CISM vs CISSP professional, of course, you need to first pass the separate examinations. What does one need to have in order to do? We’ve prepared a list below:
- Five (5) times accretive paid work experience in two or further of the eight disciplines of the (ISC) 2 CISSP common body of knowledge (CBK):
- Security Threat Operation
- Asset Security
- Security Architecture and Engineering
- Communication and Network Security
- Identity and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
- Work experience( any or combination of the following)
- Full-time work – one month is original to a minimum of 35 hours/ week for four weeks.
- Part-time work – minimal 20 hours to maximum 34 hours per week.
- 1040 hours of part-time = 6 months of full-time experience
- 2080 hours of part-time = 12 months of full-time experience
- Internship– both paid and overdue externships are respectable but bear attestation on a company/ association letterhead attesting to your position as an intern. However, the document can be on the register’s stationery, If you’re immuring at an academy.
- Relevant education or certifications
- Candidates may satisfy one (1) time of required experience through holding one of the following (in effect, you’ll be demanding 4 times of paid work experience)
- 4 time- degree or indigenous original or;
- Approved credential on the (ISC)² approved list.
- Candidates may satisfy one (1) time of required experience through holding one of the following (in effect, you’ll be demanding 4 times of paid work experience)
- Five (5) years experience in information security with at least 3 years of information security management experience in 3 or more of the CISM domains:
- Information security governance
- Information risk management
- Information security program development and management
- Information security incident management
Can I take the exams first, even if I do not have the required professional work experience?
Yes! It is interesting to note for both certifications that you can actually take their exams without sufficient professional experience. It is a widely accepted practice for prospective CISM candidates to take the exam and later fulfill the required work experience as long as they apply for the certification within 5 years of having passed the exam.
As for CISSP, you can pass the exam and come an Associate of (ISC) 2 as you work to earn the required experience. Once fulfilled, you can also begin the online countersign process so long as your assertions regarding your professional work experience are true and you maintain good standing within the cyber security industry.
Also, you have to know an (ISC) 2 guarantor to plump you in order to complete your CISSP certification.
CISSP vs. CISM – The Exam
What should aspiring CISSP or CISM professionals anticipate about the separate examinations? Each one uses a different system to test candidates corresponding knowledge against a common body of knowledge and is grounded on one’s professional gests.
First Out, you can either engage in tone- study or take advantage of both certifying associations’ immolations of paid review sessions and training camps to help in the medication. ISACA has a devoted runner to help candidates prepare via tone-paced or educator-led programs. Meanwhile, (ISC)2 offers an analogous package that should help you get started.
Group review or training sessions are also an option and would be ideal if the certification is a company-patronized bid.
Exam – CISSP:
The CISSP exam contains a minimum of 100 to an outside of 150 particulars and must be completed within 3 hours through an advanced testing system called Computerized Adaptive Testing ( CAT). In substance, the CAT system is designed to assess a candidate’s readiness and overall capacities, and the questions that a candidate receives will be grounded on how he or she answers the antedating questions.
It just means that the CAT gives precipitously harder questions to candidates who answer them rightly. On the other hand, candidates who dodge more wrong answers are also given easier exam questions and progress to harder bones as they ameliorate. Within the 3-hour duration, candidates will answer questions from the following eight disciplines (in no particular order).
- Security and risk management – 15%
- Asset security – 10%
- Security architecture and engineering – 13%
- Communication and network security – 14%
- Identity and access management – 13%
- Security assessment and testing – 12%
- Security operations – 13%
- Software development security – 10%
Candidates must admit at least a fleeting score of 700 out of points. According to (ISC) 2, if you don’t pass the exam on your first attempt, you may check after 30 exam-free days. However, you may check after 60 exam-free days from your most recent exam attempt, If you still don’t pass the exam on your alternate attempt.
Exam – CISM:
The CISM exam is a 4-hour, 150- question exam where candidates must achieve a score of 450 points or advanced in order to pass. The exam consists of 150 true-or-false and multiple-choice aimlessly-generated questions. There are four (4) disciplines on the exam.
- Domain 1 – Information Security Governance – 24
- Domain 2 – Information Threat Operation – 30
- Domain 3 – Information Security Program Development and Management – 27
- Domain 4 – Information Security Incident Operation – 19
Candidates must achieve a minimal correct score in these sections in order to pass. Still, per ISACA, If you fail the exam you’ll be suitable to regain the section/ s that you failed after 12 hours. You may take the exam outside of 3 times for no fresh assessment figure. Should you fail on the third attempt, you must register again. It’s veritably important for candidates to bear in mind that they mustn’t calculate solely on their study medications as both examinations also draw on their professional experience because utmost questions will have multiple correct answers but certain answers will be more suitable in specific scripts.
CISM vs. CISSP – Costs
Acquiring and maintaining these two certifications is clearly not cheap. It requires members to pay certain freights which are used to maintain the association, its processes, and in order to uphold the high norms of each certification.
As of this jotting, the CISSP exam figure ( banning levies) costs the US $699 and may vary depending on the position of the exam. Cataloging an exam costs the US $50 while canceling requires a figure of US $100. As for CISM, the‘ early raspberry’ rate is the US $525 for ISACA members and the US $710 for non-members. Final enrollment is the US $575 for members and the US $760 for non-members. Rescheduling or canceling your CISM exam must be done a minimum of 48 hours prior to your original schedule. Else, candidates must take the exam as listed or lose their enrollment freights.
Assuming a candidate passes the examinations and complies with all the conditions for either CISSP or CISM and becomes officially certified. Do they still have to pay anything? Yes, in fact, both certifications have a corresponding Periodic Conservation Figure (AMF as follows):
- CISSP – US $125
- CISM – US $45 for ISACA members; US $85 for non-members
(CISM certifications candidates have the option to join ISACA class for US$135 annually to enjoy benefits which include lower rates for examination, AMF, among others.)
The AMF is due each time and is used by both certifying associations for conservation and nonstop enhancement of their procedures and operations similar as:
- Maintenance of current, credible certification examinations
- Maintenance processes related to the certifications
- Research and enhancement on the impact and value of the certification
- Exploring new specialty certifications
In addition, these certifications aren’t just about gaining certification for the sake of proving the completion of a course; rather it serves as evidence of recognition for practical knowledge and professional development throughout one’s nonstop professional experience.
CISSP vs. CISM – Maintenance
Apart from the periodic freights, journal renewal of your certification, and upholding a good standing within the industry is a must-have. Those certified with either a CISSP or CISM are also needed to maintain a certain quantum of Continuing Professional Education (CPE) credit for every three times of certifications. Certified professionals will also be aimlessly named for a CPE inspection whereas they’re needed to give supporting attestation for a specific timetable time. The main difference in CPE conditions between the two is that CISM is more flexible compared to CISSP.
In CISSP, renewal is fulfilled by either regaining the exam or accumulating 120 continuing CPE credits over the coming three times, with a minimum of 40 credits earned each time.
CISM conditions are analogous 120 CPE credits every three times, although the schedule is a bit more flexible, with a minimum of 20 credits earned annually. Now to earn CPE credits, there are multitudinous ways you can achieve it similar as attending cybersecurity webinars, attending conferences, or original CISSP or CISM meetings. You may also conclude to levy for cybersecurity events or tutor other members. Anyhow of the certifying association, the main idea for constituting these conditions is for the overall development of the cybersecurity community while emphasizing the value each certification holds.
CISSP vs. CISM – The Numbers (Summary)
|Length of Exam||3 hours |
Min. 100 to the max. 150 items
|4 hours |
|Passing Score||700 out of 1,000||450 or higher|
|Exam Fee||US$699||Members: US$575 |
|Annual Membership||N/A||The US $135|
|Annual Maintenance Fee (AMF)||The US $125||Members: US $45 |
Nonmembers: US $85
|Continuing Professional Education (CPE) Requirements||120 credits over 3 years |
(Minimum of 40 credits/year)
|120 credits over 3 years |
(Minimum of 20 credits/year)
CISSP vs. CISM – Salary and Job Outlook
The salary for either Certified Information Systems Security Professionals or Cloud Information Security Managers is nearly identical.
According to a 2020 Forbes study of the Top 15 IT certifications, CISSPs admit a normal of $141,452 yearly (or $11,788 month) while CISM gets paid US $148,622 (or US $12,385month).
That’s nearly three times the median ménage payment in the United States which was reckoned at the US $51,219 back in 2019. What’s more intriguing with the CISSP and CISM career path is it nearly has zero severance. The (ISC)2 Cybersecurity Workforce Study plant out that there’s a global cyber pool deficit of over 2.9 million.
In our in-house check conducted in an our-strong LinkedIn group, CISM vs CISSP was suggested third and first independently in the stylish cybersecurity certifications to get in 2021.
There are presently active job bulletins in LinkedIn taking CISSP certifications while there are for CISM as of January 2021 just in the United States. Mary Kyle of Netwrix wrote that there are CISSP- certified members and ISACA data state that there are CISM- certified members worldwide.
While it may feel that there’s a gap between those certified and those in demand, we should understand that the numbers of those certified in CISSP and CISM are presently employed and there are combined vacuities that employers are looking to fill in one country alone. Likewise, there’s a double-number protuberance in increased demand until 2029 for the worldwide cybersecurity industry.
CISSP vs. CISM – What job positions will I get from each?
Okay, so you are now CISM- or CISSP-certified. What jobs should you look out for? What kind of position companies are looking to fill with each of these certifications? Let’s take a look:
Common CISM Job Titles
|Entry-level Positions||Systems Analyst |
Security Designer Trainee
Security Systems Trainee
Security Auditor Trainee
|Technical Specialists (Mid-Level Technical)||Security Consultant |
Security Product Manager
Security Systems Professional
Information Risk Consultant
|Technical Managers (Mid-Level Managerial)||Product Manager |
Account Sales Manager
|Expert Level Position (High-Level Technical)||Principal IT Consultant |
Senior IT Systems Professional
Senior IT Development Engineer
Senior IT Architect
Senior Information Security Auditor
|Manager/Director (High-Level Managerial)||Operations Consulting |
Systems and Infrastructure
Information and Privacy Risk Consultant
|Senior Executive Level (Executive C-Level)||Chief Information Officer |
Chief Operating Officer
Chief Technology Officer
Chief Information Security Officer
Chief Architecture Officer
The below-mentioned job titles were taken from the donation “Professionalism in Information Security A Framework for Competency Development” by David Lynas and John Sherwood – both are large-admired study leaders in the cyber security industry and co-founders of The SABSA Institute.
Common CISSP Job Titles
The most common job titles for CISSP are:
- Principal information security officer
- Security systems director
- Information assurance critic
- IT security mastermind
- Elderly IT security adviser
- Elderly information security assurance adviser
- Information security assurance critic
- Principal information security adviser
- Star cyber security director
- Elderly IT security operations specialist
- Elderly information security threat officer
While this non-exhaustive list may seem meager compared to that of CISM, you must know that employers use a very broad range of terms to describe information security positions within their organization.
So which one should I get: CISM or CISSP?
Now, if you are already in (or looking to move into) the information security industry, obtaining some kind of certification is definitely a step in the right direction. This is the most important thing you should consider: It all depends on your long-term career goals.
Always bear in mind that these certifications aren’t a one-and-done deal but a pivotal way toward investing in your promising career in the cybersecurity industry. As you’ve read before, each one requires times of prerequisite medication and a commitment to nonstop professional development within the community. Note that these two certifications are reciprocal, rather than contending despite their participated objects and doctrines. Eventually, each one has a slightly different focus. Analogous to what we’ve mentioned before, the main difference between the two is that the CISM certification is further for operation- acquainted positions similar to a CISO or cybersecurity superintendent whereas a CISSP certification is both specialized and directorial and caters to those who aim to design, mastermind, apply and manage the overall security posture of any company or association.
In other words, CISM is for directors and CISSP is for pros – it’s right there in the title. Still, you can indeed be like some people who get both! There’s no specific order for which one to gain first If you want. From a practical viewpoint, it can be argued that CISM-or CISSP- certified interpreters aren’t inescapably more educated or knowledgeable than their uncertified cybersecurity industry peers. Experience, industry term, and academic background each contribute to a person’s performance and knowledge. Like any academic achievement, certifications simply serve as a foundation for an individual and bear practical operation in order to meet success.