CISA vs. CISSP: What’s the Difference?

CISA vs. CISSP: What’s the Difference? 864 486 CyberVista now N2K

Two certifications that candidates often have questions about are the Certified Information Security Auditor (CISA) from ISACA, previously known as the Information Systems Audit and Control Association, and the Certified Information Systems Security Professional (CISSP) from The International Information System Security Certification Consortium (ISC)². Both of these certifications cover cybersecurity concepts. A closer look at the certifications can help you determine which certification is right for you, while revealing the important takeaway: CISA has an auditing focus, and CISSP has a technical, managerial focus.

CISA: Auditing with a Technical Twist

The first step in understanding the difference between the two certifications is to start with their names. Here’s a good tip: to understand an acronym, learn the words that form it (things are often what they sound like). CISA, if you remember, stands for Certified Information Security Auditor. The key word in this acronym is the last one. Auditing, in a security context, means evaluating the security of a company’s information system by measuring how well it conforms to a set of established criteria. A thorough audit typically assesses the security of the system’s physical configuration, environment, software, information handling processes, and user practices and often determines regulatory compliance..

CISSP: Technical with a Managerial Twist

Compare CISA’s auditing focus with the technical, managerial perspective of the Certified Information Systems Security Professional certification. While CISAs can expect to audit security controls and policies, CISSPs are the individuals who implement the controls and enforce the policies.


The domains, or knowledge areas, of the two certifications demonstrate their disparate focuses. The domains of the two certs are in the following table:

1. Auditing Information Systems

2. Governance and Management of IT

3. Information Systems Acquisition, Development, and Implementation

4. Information Systems Operations, Maintenance, and Service Management

5. Protection of Information Assets

1. Security and Risk Management
2. Asset Security
3. Security Architecture and Engineering
4. Communications and Network Security
5. Identity and Access Management
6. Security Assessment and Testing
7. Security Operations
8. Software Development Security


As you can see, CISSP explores technical areas and CISA hones in on auditing information systems. From a percentages standpoint, CISA has five auditing-focused domains. Sub-domain topics include technical concepts, but they are sprinkled in and are not the main focus of the domain. It’s fair to say that CISA is 90 percent auditing and 10 percent technical.

CISSP, by contrast, has more technical domains. Only one domain (or 13 percent) is explicitly managerial focused. The other domains have a technical core with a managerial perspective sprinkled on top. For example, the CISSP exam includes network security. CISSP candidates can expect to study network communication devices and protocols. As security professionals, CISSPs may have to configure and manage firewalls. CISAs certainly know what firewalls are, but they aren’t creating ACLs. They are busy justifying the cost of proxy and application firewalls to senior management.

CISSP skills include persuading management. For example, in another technical CISSP domain, Security Assessment and Testing, CISSPs will learn the details of penetration tests and other forms of security testing. They will learn the penetration test process and tools. But they will also learn what to do with the results of a pen test. CISSPs will know how to package the results in a way to create a business case to senior management. They use penetration tests to convince senior management for the need for security.

CISSPs are in the business of selling security and managing security. CISAs are in the business of ensuring standards, regulations, and policies are being followed—think compliance.

CISA vs. CISSP: More Like CISA and CISSP

If you were reading this piece in order to get a final word on whether your next certification should be CISSP or CISA, we have good news: There is no wrong answer. Both the CISSP and CISA are important certifications that can make you valuable to your current or prospective employers. What you should recognize is that if you really want to stand out, you should strive to have both the auditing focus of CISA and the technical skills of CISSP. Auditing and security are related. It’s rare to find someone implementing a security plan without including auditing. In most cases, auditing forms the backbone of any security plan. Without auditing, you cannot ensure compliance.

Learn More

Interested in more information about the job prospects and requirements of the CISSP and CISA certifications? Check out our resource center for all the details.

Posted by: Robin Abernathy