CISM vs CISSP – Which Certification is Recommended for You

There are many reasons why people get certified. But there are some common reasons. It can lead to promotion. You can get a salary raise. You want to branch into a new specialized career. You want to stand apart from the crowd so that recruiters can immediately recognize your skills.

If you are an IT professional, you can have a look at our collection of best IT security certifications. But two of the most respected and popular certifications related to information security are CISSP and CISM. We will give a brief on both, and then we will compare CISSP vs CISM, their strengths and weaknesses and recommend which security certification is the best. You can also compare CISA vs CISSP.

CISM Certification

ISACA administers this along with other popular ones like CISA and CRISC. You may also want to know difference between CISA and CISM. The only CISM prerequisites are that you should be holding a graduate degree. You can be from any major. CISM exam covers the following domains (each having the weightage in the exam given against it)

  • Information Security Governance – 24 percent weight in exam
  • Information Risk Management and Compliance – 33 percent weight in CISM exam
  • Information Security Program Development and Management – 25 percent weight
  • Information Security Incident Management – 18 percent weight

For CISM training, it is recommended that you buy the latest ISACA CISM Review Manual and also the questions and answers database. In my personal view, it is quite possible to home-prepare for the exam but many training opportunities are also available. 

How difficult is the CISM exam?

You need to score 450 scaled score in the exam which is the CISM passing score. The exam itself will be challenging you with 150 questions and lasts for four hours. However, it is not a very difficult exam because it is not loaded with operational level IT questions. For someone coming from a managerial background, the exam is not very challenging on technical information technology questions. 

The next question will definitely be about CISM certification cost. The exam itself is priced at $575 for ISACA members and $760 for non-members. Membership fee of ISACA is $135 which will give you many benefits, including immediate reduction in exam fee. So if you want to go for CISM, it is a no-brainer to start with ISACA membership. 

To maintain CISM certification you will have to complete 120 CPE (continuing professional education) hours over a three-year cycle (minimum 20 hours in a single year). And along with that you will pay an annual certification maintenance fee of $45 dollar as an ISACA member and $85 if you are not a member. 

According to PayScale website, the annual average CISM salary is $124k. According to ISACA there are more than 27000 CISM holders since inception. 

CISSP certification

(ISC)2 is a non-profit that manages the Certified Information Systems Security (CISSP). More than 136,000 people have this designation. The exam covers the following eight domains of knowledge. 

  • Security Risk Management – 15%
  • Asset Security – 10%
  • Security Architecture and Engineering – 13%
  • Communication and Network Security – 14%
  • Identity and Access Management – 13%
  • Security Assessment and Testing – 12%
  • Security Operations – 13%
  • Software Development Security – 10%

CISSP exam lasts for 3 hours and you can expect between 100-150 exam questions and you need to score 700 marks out of 1000 so CISSP passing score is 70%. The exam itself costs $699 and you pay annually $125 to maintain your CISSP. And like CISM you have to commit 120 credit hours of continuous professional education over a three year cycle. 

According to data at PayScale, the average CISSP salary is $110k. 

ISC2 also offers another certification for even more technical resources which is called SSCP (Systems Security Certified Practitioner). You may also like to compare SSCP vs CISSP to decide whether you want a purely technical certification or you want managed focused credential.


We begin with the similarities when comparing CISM vs CISSP. Both certifications are well respected in the industry. Both are targeted towards leadership and managing positions. Both require 5 years experience before you get certified. Of course, it can be your prior experience. 

However, there are clear differences too. It is also apparent from the names that CISM is geared more towards information security managers whereas CISSP is for those who are in a leadership/managerial role in a technical position. 

CISSP exam also tests you in more areas and you will need a blend of technical and management knowledge to ace it. Expect CISSP exam to be tougher than CISM on technical details. 

Briefly, both are excellent certifications to pursue. But if your work involves development of security solutions and technical work, it is recommended that you choose CISSP certification. But for managerial positions, CISM will be a good choice. So now it’s your decision if you want to be CISM or CISSP certified.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.