CISM vs CISSP – What is the difference?
There are many cyber security certifications, but two of the most recognized are the CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager). What most people want to know, however, is “which one is better?” In this blog post, we will answer that, along with other questions like “which one costs more?”, “what are the requirements for each course?” and “which one will get me the best job!?”
But before jumping to the differences, let us point out a couple similarities about the courses. Both CISSP and CISM are vendor-neutral and offered by independent, non-profit organizations. They draw on the most current knowledge in the industry to provide deep, comprehensive training in understanding and responding to information security threats. Additionally, if you’re from the government seeking these certifications, both meet the rigorous requirements of the U.S. Department of Defense (DoD) Directive 8570. Moreover, both courses ranked highly in our survey of 90,000 information security professionals about the best cyber security certifications in 2021.
Table of Contents:
- CISSP vs. CISM – Requirements
- CISSP vs. CISM – The Exam
- CISM vs. CISSP – Costs
- CISSP vs. CISM – Maintenance
- CISSP vs. CISM – The Numbers (Summary)
- CISSP vs. CISM – Salary and Job Outlook
- CISSP vs. CISM – What job positions will I get from each?
- So which one should I get, CISM or CISSP?
- Interested in getting the CISSP or CISM certification? Use our Promo Code for Discounted Pricing
Let’s get one thing out of the way – both CISSP and CISM certifications are not for IT beginners. Both are highly sought-after across the infosec industry and are known for their stringent set of prerequisites such as a specific amount of work experience; both are tested against a standard body of knowledge and; require CPE (Continuing Professional Education) credits for continued certification.
Offered by ISACA (Information Systems Audit and Control Association), CISM is an advanced certification which indicates that an individual possesses the knowledge and experience required to develop and manage an enterprise information security program. It also emphasizes the relationship between information security and the business goals of the enterprise.
CISSP is also an advanced certification, but is provided by (ISC)2. It is ideal for experienced security practitioners, managers and executives interested in proving their knowledge in the field. The certification focuses on the operations side of information security and threat response.
In simpler terms, CISM certification is solely management-focused, while CISSP is both technical and managerial and designed for security leaders who design, engineer, implement and manage the overall security posture of an organization.
Now let’s take a look at each one in detail.
CISSP vs. CISM – Requirements
To become eligible in getting certified as a CISSP or CISM professional, of course, you need to first pass the respective exams. What does one need to have in order to proceed? We’ve prepared a list below:
- Five (5) years cumulative paid work experience in two or more of the eight domains of the (ISC)2 CISSP common body of knowledge (CBK):
- Security Risk Management
- Asset Security
- Security Architecture and Engineering
- Communication and Network Security
- Identity and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
- Work experience (any or combination of the following):
- Full-time work – one month is equivalent to a minimum of 35 hours/week for four weeks.
- Part-time work – minimum 20 hours to maximum 34 hours per week.
- 1040 hours of part-time = 6 months of full time experience
- 2080 hours of part-time = 12 months of full time experience
- Internship – both paid and unpaid internships are acceptable but require documentation on a company/organization letterhead confirming your position as an intern. If you are interning at a school, the document can be on the registrar’s stationery.
- Relevant education or certifications:
- A candidate may satisfy one (1) year of required experience through holding one of the following (in effect, you will be needing 4 years of paid work experience):
- 4 year-degree or regional equivalent or;
- Approved credential on the (ISC)² approved list.
- A candidate may satisfy one (1) year of required experience through holding one of the following (in effect, you will be needing 4 years of paid work experience):
- Five (5) years experience in information security with at least 3 years of information security management experience in 3 or more of the CISM domains:
- Information security governance
- Information risk management
- Information security program development and management
- Information security incident management
Can I take the exams first, even if I do not have the required professional work experience?
Yes! It is interesting to note for both certifications that you can actually take their exams without sufficient professional experience.
It is a widely accepted practice for prospective CISM candidates to take the exam and later fulfill the required work experience as long as you apply for the certification within 5 years of having passed the exam.
As for CISSP, you can pass the exam and become an Associate of (ISC)2 as you work to earn the required experience. Once fulfilled, you can then begin the online endorsement process so long as your assertions regarding your professional work experience are true and you maintain a good standing within the cyber security industry.
Additionally, you have to know an (ISC)2 sponsor to endorse you in order to complete your CISSP certification.
CISSP vs. CISM – The Exam
What should aspiring CISSP or CISM professionals expect about the respective exams? Each one uses a different method to test a candidate’s corresponding knowledge against a common body of knowledge and based on one’s professional experiences.
First off, you can either engage in self-study or take advantage of both certifying organization’s offerings of paid review sessions and training camps to help in the preparation.
Group review or training sessions is also an option and would be ideal if the certification is a company-sponsored endeavor.
Exam – CISSP:
The CISSP exam contains a minimum of 100 to a maximum of 150 items and must be completed within 3 hours through an advanced testing system called Computerized Adaptive Testing (CAT).
In essence, the CAT method is designed to assess a candidate’s readiness and overall abilities and the questions that a candidate receives will be based on how he or she answers the preceding questions.
It just means that the CAT gives progressively harder questions to candidates who answer them correctly. On the other hand, candidates who incur more wrong answers are then given easier test questions and progress to harder ones as they improve.
Within the 3-hour duration, candidates will answer questions from the following eight domains (in no particular order):
- Security and risk management – 15%
- Asset security – 10%
- Security architecture and engineering – 13%
- Communication and network security – 14%
- Identity and access management – 13%
- Security assessment and testing – 12%
- Security operations – 13%
- Software development security – 10%
Candidates must receive at least a passing score of 700 out of 1,000 points.
According to (ISC)2, if you don’t pass the exam on your first attempt, you may retest after 30 test-free days. If you still don’t pass the exam on your second attempt, you may retest after 60 test-free days from your most recent exam attempt.
Exam – CISM:
The CISM exam is a 4-hour, 150-question test where candidates must achieve a score of 450 points or higher in order to pass.
The exam consists of 150 true-or-false and multiple choice randomly-generated questions. There are four (4) domains on the exam:
- Domain 1 – Information Security Governance – 24%
- Domain 2 – Information Risk Management – 30%
- Domain 3 – Information Security Program Development and Management – 27%
- Domain 4 – Information Security Incident Management – 19%
Candidates must achieve a minimum correct score in these sections in order to pass.
If you fail the exam you will be able to retake the section/s that you failed after 12 hours, per ISACA. You may take the exam a maximum of 3 times for no additional assessment fee. Should you fail on the third attempt, you must register again.
It is very important for candidates to bear in mind that they must not rely solely on their study preparations as both examinations also draw on their professional experience because most questions will have multiple correct answers but certain answers will be more suitable in specific scenarios.
CISM vs. CISSP – Costs
Acquiring and maintaining these two certifications is certainly not cheap. It requires members to pay certain fees which are used to maintain the organization, its processes and in order to uphold the high standards of each certification.
As of this writing, the CISSP exam fee (excluding taxes) costs US$699 and may vary depending on the location of the exam. Rescheduling an exam costs US$50 while cancelling requires a fee of US$100.
As for CISM, the ‘early bird’ rate is US$525 for ISACA members and US$710 for non-members. Final registration is US$575 for members and US$760 for non-members.
Rescheduling or cancelling your CISM exam must be done a minimum of 48 hours prior to your original schedule. Otherwise, candidates must take the exam as scheduled or forfeit their registration fees.
Assuming a candidate passes the exams and complies with all the requirements for either CISSP and CISM and becomes officially certified. Do they still have to pay anything? Yes, in fact, both certifications have a corresponding Annual Maintenance Fee (AMF as follows):
- CISSP – US$125
- CISM – US$45 for ISACA members; US$85 for non-members
(CISM certificate candidates have the option to join ISACA membership for US$135 annually to enjoy benefits which include lower rates for examination, AMF, among others.)
The AMF is due each year and is used by both certifying organizations for maintenance and continuous improvement of their procedures and operations such as:
- Maintenance of current, credible certification examinations
- Maintenance processes related to the certifications
- Research and improvement on the impact and value of certification
- Exploring new specialty certifications
In addition, these certifications are not just about gaining a certificate for the sake of proving the completion of a course; rather it serves as proof of recognition for practical knowledge and professional development throughout one’s continuous professional experience.
CISSP vs. CISM – Maintenance
Apart from the annual fees, periodical renewal of your certification and upholding a good standing within the industry is a must. Those certified with either a CISSP or CISM are also required to maintain a certain amount of Continuing Professional Education (CPE) credit for every three years of certification.
Certified professionals will then be randomly selected for a CPE audit whereas they are required to provide supporting documentation for a specific calendar year.
The main difference in CPE requirements between the two is that CISM is more flexible compared to CISSP.
In CISSP, renewal is accomplished by either retaking the exam or accumulating 120 continuing CPE credits over the next three years, with a minimum of 40 credits earned each year.
CISM requirements are similar: 120 CPE credits every three years, although the schedule is a bit more flexible, with a minimum of 20 credits earned annually.
Now to earn CPE credits, there are numerous ways you can achieve it such as attending cybersecurity webinars, attending conferences or local CISSP or CISM meetings. You may also opt to volunteer for cybersecurity events or mentor other members.
Regardless of the certifying organization, the main idea for instituting these requirements is for the overall development of the cybersecurity community while emphasizing the value each certification holds.
CISSP vs. CISM – The Numbers (Summary)
|Length of Exam||3 hours|
Min. 100 to max. 150 items
|Passing Score||700 out of 1,000||450 or higher|
|Exam Fee||US$699||Members: US$575|
|Annual Membership||N/A||U.S. $135|
|Annual Maintenance Fee (AMF)||US$125||Members: US$45|
|Continuing Professional Education (CPE) Requirements||120 credits over 3 years|
(Minimum of 40 credits/year)
|120 credits over 3 years|
(Minimum of 20 credits/year)
CISSP vs. CISM – Salary and Job Outlook
The salary for either Certified Information Systems Security Professionals or Cloud Information Security Managers are nearly identical.
According to a 2020 Forbes study of the Top 15 IT certifications, CISSPs receive an average of US$141,452 yearly (or US$11,788/month) while CISMs get paid US$148,622 (or US$12,385/month).
That’s almost three times the median household salary in the United States which was computed at US$51,219 back in 2019.
What’s more interesting with the CISSP and CISM career path is it virtually has zero unemployment. The (ISC)2 Cybersecurity Workforce Study found out that there is a global cyber workforce shortage of over 2.9 million.
There are currently 37,393 active job postings in LinkedIn requiring CISSP certification while there are 4,753 for CISM as of January 2021 just in the United States.
Mary Kyle of Netwrix wrote that there are 140,000 CISSP-certified members and ISACA data states that there are 32,000 CISM-certified members worldwide.
While it may seem that there is a gap between those certified and those in demand, we should understand that the figures of those certified in CISSP and CISM are currently employed and there are a combined 42,146 vacancies that employers are looking to fill in one country alone.
Furthermore, there is a double-digit projection in increased demand until 2029 for the worldwide cybersec industry.
CISSP vs. CISM – What job positions will I get from each?
Okay, so you are now CISM- or CISSP-certified. What jobs should you look out for? What kind of position companies are looking to fill with each of these certifications? Let’s take a look:
Common CISM Job Titles
|Entry-level Positions||Systems Analyst|
Security Designer Trainee
Security Systems Trainee
Security Auditor Trainee
|Technical Specialists (Mid-Level Technical)||Security Consultant|
Security Product Manager
Security Systems Professional
Information Risk Consultant
|Technical Managers (Mid-Level Managerial)||Product Manager|
Account Sales Manager
|Expert Level Position (High-Level Technical)||Principal IT Consultant|
Senior IT Systems Professional
Senior IT Development Engineer
Senior IT Architect
Senior Information Security Auditor
|Manager/Director (High Level Managerial)||Operations Consulting|
Systems and Infrastructure
Information and Privacy Risk Consultant
|Senior Executive Level (Executive C-Level)||Chief Information Officer|
Chief Operating Officer
Chief Technology Officer
Chief Information Security Officer
Chief Architecture Officer
The above-mentioned job titles were taken from the presentation “Professionalism in Information Security: A Framework for Competency Development” by David Lynas and John Sherwood – both are highly-respected thought leaders in the cyber security industry and co-founders of the SABSA Institute.
Common CISSP Job Titles
The most common job titles for CISSP are:
- Chief information security officer
- Security systems administrator
- Information assurance analyst
- IT security engineer
- Senior IT security consultant
- Senior information security assurance consultant
- Information security assurance analyst
- Chief information security consultant
- Principal cyber security manager
- Senior IT security operations specialist
- Senior information security risk officer
While this non-exhaustive list may seem meager compared to that of CISM, you must know that employers use a very broad range of terms to describe information security positions within their organization.
So which one should I get: CISM or CISSP?
Now, if you are already in (or looking to move into) the information security industry, obtaining some kind of certification is definitely a step in the right direction.
This is the most important thing you should consider: It all depends on your long-term career goals.
Always bear in mind that these certifications are not a one-and-done deal but crucial steps toward investing in your promising career in the cybersecurity industry. As you’ve read earlier, each one requires years of prerequisite preparation and a commitment to continuous professional development within the community.
Note that these two certifications are complementary, rather than competing despite their shared objectives and philosophies. Ultimately, each one has a slightly different focus.
Similar to what we’ve mentioned earlier, the main difference between the two is that CISM certification is more for management-oriented positions such as a CISO or cybersec executive whereas a CISSP certification is both technical and managerial and caters to those who aim to design, engineer, implement and manage the overall security posture of any company or organization.
In other words, CISM is for managers and CISSP is for pros – it’s right there in the title.
If you want, you can even be like some people who get both! There is no specific order for which one to obtain first.
From a practical standpoint, it can be argued that CISM- or CISSP-certified practitioners are not necessarily more experienced or knowledgeable than their uncertified cybersec industry peers.
Experience, industry tenure and academic background all contribute to a person’s performance and knowledge. Like any academic achievement, certifications merely serve as a foundation for an individual and require practical application in order to meet success.