To help you decide which credential is right for you, consider these key points of comparison.

Both the ISC2 Certified Information Systems Security Professional (CISSP) and ISACA Certified Information Security Manager (CISM) are highly sought-after IT security certifications. Each provides a common body of knowledge for information security professionals and managers around the globe. Both are vendor-neutral, require 5 years of experience in information security management to achieve, and mandate completion of continuing education to maintain.

How are they different? From a competitive perspective, the CISSP and CISM complement rather than directly compete with one other. The CISM certification is solely management-focused, while CISSP is both technical and managerial and designed for security leaders who design, engineer, implement and manage the overall security posture of an organization. CISSP is more widely known than CISM, with 136,428 CISSPs globally, compared with 28,000 CISMs.

Job Roles and Titles

Both certifications cover managerial topics. However, the CISSP is both managerial and technical, requiring a breadth and depth of technical and managerial knowledge, skills, and abilities relevant for a range of positions including security consultant, security manager, IT director/manager, security auditor, security architect, security analyst, security systems engineer, CISO, director of security, and network architect.

The CISM certification targets experienced information security managers and those with information security management responsibilities, including information security managers, aspiring information security managers, IS/IT consultants and CIOs.

Domains of Knowledge

The CISSP covers eight domains that are technically oriented and address critical security topics in depth:
Domain 1. Security and Risk Management (15%)
Domain 2. Asset Security (10%)
Domain 3. Security Architecture and Engineering (13%)
Domain 4. Communication and Network Security (13%)
Domain 5. Identity and Access Management (13%)
Domain 6. Security Assessment and Testing (12%)
Domain 7. Security Operations (13%)
Domain 8. Software Development Security (11%)

The CISM certification covers four domains that focus on governance and management:
Domain 1. Information Security Governance (24%)
Domain 2. Information Risk Management and Compliance (33%)
Domain 3. Information Security Program Development and Management (25%)
Domain 4. Information Security Incident Management (18%)

Earning Potential

According to the ISC2 Cybersecurity Workforce Study 2018, those who hold security certifications earn an average annual salary of U.S. $88K, compared with about $67K among those who don’t. Opinions vary across salary surveys about which certification commands the highest total earning potential, so bear in mind the source – and your own experiences – to make an informed evaluation.

In terms of your time and financial investment (or that of your employer), here’s a breakdown for each certification.

By the Numbers




Length of Exam 3 hours/100-150 items 4 hours/150 questions
Passing Score 700 out of 1,000 450 or higher
Exam Fee USD 749
EUR 665
GBP 585
Members: U.S. $575; Nonmembers: U.S. $760
Annual Membership N/A U.S. $135
Annual Maintenance U.S. $135 Members: U.S. $45 (with $135 membership fee); Nonmembers: U.S. $85
CPEs 120 credits over 3 years 120 hours over 3 years

When deciding which certification or certifications to pursue, bear in mind your short- and long-term goals. Download the Ultimate Guide to the CISSP as part of your education.