Difference Between CISSP and CISM

Technical certifications are in great demand these days, particularly the ones which focus on information security. These are special certification programs which are very focused and cover only a particular technology or software package. They may also require the candidates to display practical knowledge and skills by performing tasks in controlled environment. There are many well-known certification programs that focus on information security management, but the two certifications that dominate this category are CISSP and CISM. Let’s take a look at the two.

What is CISM?

The CISM or Certified Information Security Manager is among the newest certification programs available for information security managers, aspiring managers or security consultants. The CISM was developed and sponsored by the Information Systems Audit and Controls Association (ISACA). This is much less of a technical certification and much more about figuring out how as information security professionals, you can support the business. The CISM is a great course for those who want to manage, design, oversee or assess an organization’s information security infrastructure. The certification is designed specifically for experienced security managers and those with information security management responsibilities. Basically it helps you put the whole information security roadmap in the proper context. It covers several areas of interest such as regulatory issues, information security governance, risk management, data recovery, and so on. Remember, the CISM is not an entry-level certification program, so unless you are 100 percent sure, do not go for the exam.

What is CISSP?

The CISSP or Certified Information Systems Security Professional is a globally recognized certification program offered by a global not-for-profit organization, International Information System Security Certification Consortium (ISC2). It is a certification for more experienced security management professionals, such as security analysts. This certification is designed to hone the skills of IT security professionals across all industries. The CISP credential is for security professionals responsible for designing and maintaining information security infrastructure within an organization. A CISSP certified professional is well equipped and knowledgeable to design, implement, and manage a cybersecurity program within an organization. This is more of a technical certification program preferred by professionals including security consultants, security analysts, systems engineers, network architects, etc. Because of its technical nature, it is in great demand and CISSP certified professionals are generously paid compared to other IT security professionals.

Difference between CISSP and CISM

Subject Focus 

– The CISM or Certified Information Security Manager is much less of a technical certification and much more business oriented. CISM certification program focuses on management and strategy while addressing design and technical security issues at a conceptual level. The CISSP or Certified Information Systems Security Professional is much more technical and less about management with a much broader focus on cyber security. The CISSP is for more experienced security management professionals who are well equipped and skilled enough to design, implement, and manage a cybersecurity program within an organization.

Prequalification 

– The CISM certification requires a prior 5 years of information security work experience, with a minimum of 3 years experience in information security management in at least three domain areas. Well, there are some acceptable substitutions – instead of 5 years, you can get by 3 if you have a CISSP certification, which counts as a 2 years of experience. To be a certified CISSP professional, you must have a minimum of 5 years of relevant work experience or 4 years of experience plus a college degree. Plus, you must adhere to the CISSP code of ethics defined by the (ISC)2.

Exam Format 

– The CISSP exam consists of 250 questions and you are given 6 hours to complete the exam. These are multiple choice questions and the exam is still administered in a booklet and answer sheet format. You’ll be using a pencil to full the answer bubbles. You have to score a minimum of 70 percent marks to pass. The CISM exam consists of 150 multiple-choice questions and you are given 4 hours to complete the exam. You are tested on the grounds of four functional areas of information security. You are required to score a minimum of 450 marks to pass the CISM exam.

Knowledge Domains

 – The CISM certification helps you put the whole information security roadmap in the proper context. It provides a management level of information security around four domain areas: information security management, information security governance, information security program development and management, and information security incident management. The CISSP certification, on the other hand, is designed to hone the skills of IT security professionals across 8 knowledge domains: asset security , security and risk management, security engineering, , identity and access management , communications and network security, security assessment and testing, software development security, and security operations.

CISSP vs. CISM: Comparison Chart

Summary of CISSP vs. CISM

Both CISM and CISSP are professional level certification programs designed for roles in information security. However, CISSP is more technical in nature that focuses on covering in-depth information security areas, whereas CISM is less technical and more business oriented that focuses on management and strategy while addressing design and technical security issues at a conceptual level. Both require a minimum of five years of relevant work experience in their respective domains, although individuals can pass the exam and then gain the experience. But for the CISSP certification, you need an endorsement from an existing (ISC)2 member.