When considering which certification to pursue between the Certified Information Systems Security Professional (CISSP) and the Certified Information Systems Auditor (CISA), the short answer is…it depends. Both are information security certifications, but they are on opposite ends of a spectrum.
The CISA certification, as its name implies, is about the audit of information systems. The CISSP is focused on the implementation, operation and maintenance of secure information systems. There is a slight overlap in content, but the primary focus is different. Both certifications are highly regarded by the industry, but each validates a different skillset, so it comes down to the kind of job being sought in the cybersecurity field – IT audit, or information security.
The Information Systems Audit and Control Association (ISACA) has been around longer, incorporated in 1969, with 118,000 CISA certified professionals worldwide. Like ISACA, the International Information System Security Certification Consortium, or ISC2 which began in 1988 is also a non-profit. The CISSP was launched in 1994 has 136,428 certified professionals worldwide. This difference in numbers is likely due to the highly specialized nature of the CISA as compared with the CISSP. The CISSP certification is said to be “10 miles wide and an inch deep,” meaning its domains cover the breadth of cybersecurity. This makes the CISSP applicable to nearly any job in the field, as opposed to the CISA certification which is suited to IT auditors only.
Both certifications have a 5-year minimum experience requirement, annual membership dues and continuing professional education (CPE) requirements to maintain certified status. ISACA charges $230 per year ($135 membership dues+ $50 mandatory local chapter dues+$45 per certification), while ISC2 charges $135 per year, regardless of how many certifications are held. SC Magazine named ISC2 CISSP “2019 Best Professional Certification Program”.
As far as salary goes certified CISSP’s make between $74K – 120K, and certified CISA’s make between $53K – 122K. You can see both paths have many similarities, the greatest difference is their focus. If you seek a job as an IT auditor – the CISA is a must. For most jobs in the cybersecurity field, the CISSP is your best bet first, then add the CISA to enhance future opportunities.
When deciding which certification or certifications to pursue, think about your short- and long-term goals. Download the Ultimate Guide to the CISSP as part of your education.