Which one will put you in the best situation for your career, CISSP or CISM? Here, we will compare both of them head to head. If you are looking into Cyber Security certifications, especially those at the management level you have already heard about CISSP and CISM. These two are the most important certification when it comes to knowing how to manage and evolve a security program. But which one will help to grow your career first? Let look at the CISSP first.
Certified Information System Security Professional(CISSP):
Whenever people talk about CISSP, they say CISSP is the gold standard when it comes to cybersecurity certifications. CISSP was originally released back in the 1990s as a vendor-neutral certification in order to demonstrate your competence in Information security. Today CISSP is a major staple certification department of defense. The current version of CISSP provides the candidate 3hours to complete the exam and there are 100 to 150 multiple choice and drag and drop questions based on how well the candidate is doing. It is important because the 2018 CISSP is been transitioning towards Computerized Adaptive Format or CAF method. This means if you answer the question correctly then you are going to get a harder question and if you can’t answer the question correctly then the next question will be comparatively easy to answer. This is similar to other major standardized exams out there, but this is a very efficient way to test candidates without having to overload them with a bunch of questions. The previous version of CISSP took 6hours long to complete and you had to answer 250 questions.
There are eight different domains you need to have knowledge of to pass CISSP:
1. Security and Risk Management 15%
2. Asset Security 10%
3. Security Architecture and Engineering 13%
4. Communication and Network Security 14%
5. Identity and Access Management (IAM) 13%
6. Security Assessment and Testing 12%
7. Security Operations 13%
8. Software Development Security 10%
Truth is that anybody physically can take the CISSP certification exam. But some of the value comes from the fact that there is the experience required to get your certification after you pass the exam. CISSP requires a candidate to have at least 5 years of experience in two of the eight domains in order to qualify. It’s possible to get one year of waiver, lowering the experience requirement to 4 years. IF one has a qualifying degree or certification.
What if someone doesn’t have a degree or certification and sits for the exam? Those candidates can become an associate of (ISC)^2 and they have 6 years to acquire either 4 or 5 years experience to qualify.
Certified Information Security Manager(CISM) :
CISM was developed in 2002 in the ISACA organization. It’s also listed in the department of defense. Now, CISM is a nearly similar format to the CISSP. Unlike the CISSP exam, we have a possible range of questions you have to answer. CISM is going to give you straight 150n questions and you will have 4hours to complete them.
CISM has only four domains that you need knowledge of:
1. Information Security Governance 24%
2. Information Risk Management 30%
3. Information Security Program Development and Management 27%
4. Information Security Incident Management 19%
Now, we are going to talk about the experience requirement for CISM. CISM has a 5 years experience requirement. IF you don’t have the 5 years experience then there is two way you can get experience waiver. One is having two years waived by having a CISA, a CISSP, or a post-graduate degree in the related field. The other option is, you can get a single-year waiver for eligible certifications or you have Security Management experience. The key is you can only get one of these waivers, you can’t stake one above another. Additionally, you need 3years of Information Security Manager work experience and there is no waiver for that experience requirement.
Now let's compare CISSP vs CISM. One of the first differences that we notice is in domains. CISSP covers a whole bunch of different domains in information security that you might across in your career. When we talk about CISSP, we typically say that it’s an inch deep and mile wide, because it covers so much information on areas like software development, physical security, and so on. Look at the CISM domains that are very focused on running security programs themselves.
The CISM is definitely more accurate for manger where the CISSP applied to lead or senior level engineer or analyst.
Now about job posts? CISM has around 3500 job postings in Indeed where CISSP has around 11500 jobs. Again the difference in posting is really because CISM is going to focus more on management as I said earlier. If you as which one is easier to take and pass, then I have to say difficulties vary from person to person. However, I people who were unable to pass CISSP but passed CISM. Actually, it makes more sense, because CISM is a lot more focused where CISSP covers a lot of information in order to pass.
Then which one is the best one to get? This question you have to ask yourself that where are you in your career. Although both certifications are valuable, you aren’t going to benefit from CISM that much if you are not close to getting a management position job. I personally think you should go for CISSP first. But if you want to break into management or already in management then go for CISM.