CISM vs CISSP: Where to Start
If you plan on a career in information security, the chances are high that you'll eventually become either a Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager (CISM).
A small number of people go on to earn both: in this case, the typical progression is to pursue a CISSP first and a CISM second. That doesn't mean that one is a foundation for the other. Each certification has a distinct focus, and understanding the effect each will have on your career will determine which is a better fit for you.
CISM vs CISSP: An Overview
Both certifications have a stringent set of prerequisites, encompassing years of experience in specific fields and particular specializations. Familiarizing yourself with them now will allow you to focus on your career development between here and signing up for the exam.
- CISSP requires a minimum of five years of cumulative paid work experience in two or more of the eight domains covered by CISSP. Education achievements (e.g., a bachelor's degree in a related field or one of a list of approved certifications) can satisfy no more than one year of this.
- CISM requires a minimum of five years of experience in information security, with a minimum of three years in information security management. The latter requirement cannot be siloed and must cover at least three of the job practice analysis areas.
Very few cybersecurity professionals begin in security; the vast majority of us start our careers in various areas of IT, become experts in that field, and then move into related security-focused arenas. If you're in the beginning stages of your career, don't let a lack of security experience discourage you. Make a note of where you want to end up, then list the steps you need to take between here and there.
Volunteering for additional duties that will give you more exposure to security issues in your current position is an excellent way to start. If you transition to a new job, express your desire to be involved in these areas when interviewing: it will demonstrate that you're intentional, career-focused, and goal-oriented.
Your Security Career: Choosing CISM or CISSP
The CISSP and CISM are not competing certifications. They're complimentary. Each is intentionally designed for a certain sector of cybersecurity professionals, and understanding the role that each plays at advanced career stages is the first step toward identifying which is best for you.
The emphasis of CISSP is both technical and managerial. It typically attracts those who have director of security, IT director/manager, network architect, security analyst, security architect, security auditor, security consultant, or security systems engineer backgrounds. If you want to continue interacting with the technical side throughout your career, the CISSP is more geared toward your interests. Because of its broader focus on technical competencies, it is comprised of eight domains versus the four covered by CISM.
A CISM certification dials in on the management side of cybersecurity. It draws from the ranks of information security managers and those who have information security management responsibilities, even if ISM isn't your job title. While earning a CISM requires a high degree of technical competence, it is designed to reflect leadership within security management rather than someone who will be a senior-level "wrench-turner." All four of the CISM domains emphasize either governance or administration.
You don't have to lock either certification in stone at an early stage; even if you're midway through your career, you still have time to change directions if you find that another area is a better fit for you. Knowing how each certification differs will simply allow you to be intentional about any adjustments you make.
Specifically focus on what interests you the most. As you explore that area, you'll either be drawn deeper into it or decide that you should try another approach.
Your Salary Will Be Higher: CISSP or CISM
Salary ranges vary substantially by years of experience, job title, and location, so keep in mind that anything we cover here will be ballpark figures. That being said, it's helpful to have a rough estimate of what each certification will do for your bottom line.
CISSP is widely recognized as one of the most valuable certifications an IT professional can achieve. Those who have this certification earn an average of nine percent more than their non-CISSP counterparts, and this can be as much as twenty percent higher in some regions of the world. Professionals who earn a CISM can make as much as 12 percent more than counterparts who don't hold this certification.
Although it's fairly common to receive a small pay bump right after receiving your certification, depending on your employer, don't expect the salary floodgates to open and drown you in cash immediately. The real value of these certs is what they can do for your career, opening the door to certain positions and development pathways that wouldn't have been available to you otherwise. For this reason, it behooves you to pursue either a CISSP or CISM earlier rather than later.
We want to be careful in what we're saying here: We're not telling you that there's a ticking clock and you need to apply tremendous pressure to yourself to knock this out at the earliest possible opportunity. The cybersecurity field isn't going anywhere but up, and you have plenty of time to figure out what niche is the best fit for you. What we're saying is that the more intentionally you approach your career, the more efficiently you'll knock out each prerequisite and consistently build on the foundation you've laid, which will result in a progressively increasing pay scale.
As far as raw numbers of certified professionals go, approximately 137,000 (ISC)2 members hold the CISSP certification worldwide, with more than 87,000 of those residing in North America. The CISM certification is quite a bit rarer, with only 23,000 professionals holding it worldwide.
This doesn't reflect as much on the value or difficulty of the cert as it does on the particular emphasis of each. Because the CISSP is designed for those who are engaged in the hands-on side of cybersecurity and CISM is exclusively focused on management, it makes sense that there would be six times as many CISSPs as CISMs.
CISSP or CISM Exam Costs
The exams for both certifications are extensive, ranging between three and four hours and covering 100 to 150 questions across as many as eight domains. While your career has prepared you for the majority of the material that the test covers, it's always a good idea to take a preparation course to familiarize yourself with the format and ensure that you get spun up in any weak areas. It's also a good investment: each exam attempt will cost you between $415 USD (cheapest pricing for CISM) and $699 USD (CISSP), and a month of exam prep can cost as little as $59 USD.
CISSP: What's Next?
After you earn the CISSP, you must remain a member in good standing with (ISC)2 and renew your certification every three years. Renewal is accomplished by either retaking the CISSP exam or accumulating 120 continuing professional education (CPE) credits over the next three years, with a minimum of 40 credits earned each year. CISM requirements are similar: 120 CPE credits every three years, although the schedule is a bit more flexible, with a minimum of 20 credits earned annually.
Both ISACA and (ISC)2 have similar goals in instituting these requirements: they're less interested in providing a one-time piece of paper than they are in contributing to the overall development of cybersecurity worldwide.
Requiring that you continually engage in professional development within the cybersecurity realm bolsters overall community strength and also underscores the value of each certification. This mindset should guide your entire security career, from deciding which certification is right for you to developing the individual building blocks that will lead you to the exam itself.
The Choice: CISSP for Pros, CISM for Managers
CISSP and CISM are complementary, not competing certifications. Although they have shared objectives and philosophies, they each have unique focuses: the CISSP targets cybersecurity professionals who are interested in designing, programming, and implementing technical solutions, while the CISM is geared toward information security management.
These certifications aren't a one-and-done deal, but instead are crucial steps toward investing in your career as a cybersecurity professional. They require years of prerequisite preparation and a commitment to continually engaging with the security community on an ongoing basis.
The value to your career, salary, and the IT world at large is not so much a destination as it is a doorway, opening avenues that will lead you to higher pay, greater job satisfaction, and an increased ability to keep legitimate businesses and organizations safe from virtual threats.