Top of Page
 

CISSP or CISM?

To help you decide which credential is right for you, consider these key points of comparison.

Both the (ISC)2 Certified Information Systems Security Professional (CISSP) and ISACA Certified Information Security Manager (CISM) are highly sought-after IT security certifications. Each provides a common body of knowledge for information security professionals and managers around the globe. Both are vendor-neutral, require 5 years of experience in information security management to achieve, and mandate completion of continuing education to maintain.

How are they different? From a competitive perspective, the CISSP and CISM complement rather than directly compete with one other. The CISM certification is solely management-focused, while CISSP is both technical and managerial and designed for security leaders who design, engineer, implement and manage the overall security posture of an organization. CISSP is more widely known than CISM, with 136,428 CISSPs globally, compared with 28,000 CISMs.

Job Roles and Titles

Both certifications cover managerial topics. However, the CISSP is both managerial and technical, requiring a breadth and depth of technical and managerial knowledge, skills, and abilities relevant for a range of positions including security consultant, security manager, IT director/manager, security auditor, security architect, security analyst, security systems engineer, CISO, director of security, and network architect.

The CISM certification targets experienced information security managers and those with information security management responsibilities, including information security managers, aspiring information security managers, IS/IT consultants and CIOs.

Domains of Knowledge

The CISSP covers eight domains that are technically oriented and address critical security topics in depth:
Domain 1. Security Risk Management (15%)
Domain 2. Asset Security (10%)
Domain 3. Security Architecture and Engineering (13%)
Domain 4. Communication and Network Security (14%)
Domain 5. Identity and Access Management (13%)
Domain 6. Security Assessment and Testing (12%)
Domain 7. Security Operations (13%)
Domain 8. Software Development Security (10%)

The CISM certification covers four domains that focus on governance and management:
Domain 1. Information Security Governance (24%)
Domain 2. Information Risk Management and Compliance (33%)
Domain 3. Information Security Program Development and Management (25%)
Domain 4. Information Security Incident Management (18%)

Earning Potential

According to the (ISC)2 Cybersecurity Workforce Study 2018, those who hold security certifications earn an average annual salary of U.S. $88K, compared with about $67K among those who don’t. Opinions vary across salary surveys about which certification commands the highest total earning potential, so bear in mind the source – and your own experiences – to make an informed evaluation.

In terms of your time and financial investment (or that of your employer), here’s a breakdown for each certification.

By the Numbers

 

CISSP

CISM

Length of Exam

3 hours/100-150 items

4 hours/150 questions

Passing Score

700 out of 1,000

450 or higher

Exam Fee

U.S. $699

Members: U.S. $575; Nonmembers: U.S. $760

Annual Membership

N/A

U.S. $135

Annual Maintenance

U.S. $125

Members: U.S. $45 (with $135 membership fee); Nonmembers: U.S. $85

CPEs

120 credits over 3 years

120 hours over 3 years


When deciding which certification or certifications to pursue, bear in mind your short- and long-term goals. Download the Ultimate Guide to the CISSP as part of your education.

OK