CISM vs. CISSP Certification: Which One is Best for You?

women studying in front of two computer screens

It’s a perfect time to be CISM or CISSP certified, or have any cybersecurity certification: according to Gartner, the unemployment rate for cybersecurity professionals is zero – as in there isn’t an unemployment rate. In fact, there are more jobs than qualified candidates, and the job postings stay open for a long time.

CISM and CISSP are two of the most highly regarded certifications for cybersecurity leaders and practitioners, but their requirements aren’t trivial. Both require a significant investment of time and money – so It’s important to determine which is right for you. Take a look at our comparison of the two below to help you make a decision.

CISM (Certified Information Security Manager)

CISM (pronounced siz-zm) is a certification offered by ISACA that validates your knowledge and expertise in managing enterprise information security teams. Getting CISM certified puts you in high demand with employers around the world that recognize the achievement and capability CISM certification represents. CISM shows that you have an all-around knowledge of technical competence and an understanding of business objectives around data security.

Becoming CISM certified is a multi-step process. You need a passing score on the CISM exam, which is a 200-question multiple-choice test that covers these topics:

  • Information security management
  • Information risk management and compliance
  • Information security program development and management
  • Information security incident management

You also need a minimum of 5 years of information security work within the 10 years prior to your certification, and 3 of those 5 years need to be in management. There are some acceptable substitutions – a CISSP certification, for example, can count as 2 years of experience.

And lastly, there is a continuing education policy. To maintain your certification, you need 20 CPE credits per year, 120 CPEs over 3 years, and a commitment to adhere to a Code of Professional Ethics.

The ISACA offers CISM exam prep materials and sample questions for sale on their website. They also run training events and exam bootcamps all over the world.

CISSP (Certified Information Systems Security Professional)

CISSP (pronounced C-I-S-S-P) is another highly regarded information security certification, offered by (ISC)2. CISSP certification proves you have the expertise to design, implement, and manage a cybersecurity program.

Similar to CISM, CISSP is a certification typically geared towards experienced security practitioners in management or executive positions, but also pursued by experienced security analysts and engineers. CISSP certified analysts are in high demand and highly paid compared to other IT certifications.

The CISSP certification process requires that you meet several criteria: first, you need to pass a candidate background check. You also need 5 years of experience as a security professional in 2 of the 8 domains in the (ISC)2 Critical Body of Knowledge (CBK). Those areas are:

CISSP certification process checklist

  • Security and risk management
  • Asset security
  • Security engineering
  • Communication and network security
  • Identity and access management
  • Security assessment and testing
  • Security operations
  • Software development security

If you do not satisfy the work experience requirement, you can join as an Associate of (ISC)2, which requires a shorter test and qualifies you for ongoing training as a member of (ISC)2. This program is a good intermediate step towards a full CISSP.

Assuming you have the appropriate work experience, you then need to pass a 250-question test within a 6-hour time limit. (ISC)2 updated the exam in April of 2018, but not so much that the older preparation materials are outdated. The test includes questions from all 8 domains of the CBK.

Once you pass the test, you need an endorsement from a current (ISC)2 member in good standing. Hopefully, you know a current CISSP.

To maintain your certification, you need to maintain your membership status with (ISC)2. Members must pay their annual membership fees and earn 120 CPEs per 3 years.

CISM or CISSP? Which is Best for Me?

If you are in infosec or looking to move into infosec, it’s a good idea to get some kind of certification. Which one you get first depends on several factors. Some people get both. Most people get CISSP first and then get their CISM afterwards, but it doesn’t make a difference what order you get them. Here are a few other factors that might help you make a decision:

  • Salaries are comparable between the two certifications
  • There are 8,906 CISM jobs listed on LinkedIn
  • There are 21,714 CISSP jobs listed on LinkedIn

CISM and CISSP both require a certain number of CPE credits to maintain your certification. There are several ways you can earn CPE credits – you can attend webinars on cybersecurity topics, attend conferences, or attend local CISSP or CISM meetings. You can also earn credits by volunteering for some cybersecurity events and mentoring other members. CISM and CISSP have their own guidance and you should familiarize yourself with them and prepare for the commitment to maintain your certification as part of the decision on which path to follow.

Varonis provides free security training including several CPE eligible videos courses that cover a range of topics – from PowerShell and Active Directory Essentials with Adam Bertram to Web Security Fundamentals with Troy Hunt. We also run CPE-eligible webinars throughout the year, with topics on Insider Threats, GDPR compliance, HIPAA compliance, Office 365 Security Best Practices, Securing Active Directory, and more.

Probably the most important question you need to ask is “what are your long term career goals?” Are you looking to become a CISO or infosec executive? You should look into CISM. Are you planning on a long career as a security engineer? CISSP might be the better choice. It’s not uncommon to get one and complete the other certification at a later time.

Regardless of which certification you choose to pursue, you are doing both yourself and your infosec career a huge favor. Both options open the door to salary advancement, new positions, and new professional challenges. Whether you start with CISM or CISSP, you can be confident you’re making a sound career decision.

Get the latest security news in your inbox.