CISM vs. CISSP: What’s the Difference?
Visit this page to download the CISSP vs. CISM: Head-to-Head Comparison.
CISM vs. CISSP
Two of the most in-demand certifications in the cybersecurity industry are the Certified Information Security Manager (CISM) from ISACA, previously known as the Information Systems Audit and Control Association and the Certified Information Systems Security Professional (CISSP) from The International Information System Security Certification Consortium, (ISC)². Both of these certifications cover cybersecurity and managerial concepts. For that reason, many candidates tend to confuse the two. A deeper dive into the certifications can help you determine which certification is right for you. A deeper dive will also reveal the important takeaway: CISM has a managerial focus, while CISSP has a technical focus. But both certs mix these elements in such a way that holders of both certs can tout managerial and technical prowess.
CISM: Managerial with a Technical Twist
The first step in understanding the difference between the two certs is to start with their names. This is a study tip we teach our students. In order to understand an acronym, learn the words that make up the acronym! (Things are often what they sound like). CISM, if you remember, stands for Certified Information Security Manager. The key word in this acronym is the last one. Management in a security context means leading, designing, directing, and overseeing the high-level direction of a security program.
CISSP: Technical with a Managerial Twist
Compare CISM’s managerial focus with the technical perspective of the Certified Information Systems Security Professional cert. While CISMs can expect to design security programs, CISSPs are the individuals who carry out these programs.
The domains, or knowledge areas, of the two certs demonstrate their disparate focus. The table below lists the domains of the two certs.
|1. Information Security Governance
2. Information Risk Management
3. Information Security Program Development & Management
4. Information Security Incident Management
|1. Security and Risk Management
2. Asset Security
3. Security Architecture and Engineering
4. Communications & Network Security
5. Identity & Access Management
6. Security Assessment & Testing
7. Security Operations
8. Software Development Security
A note before we dive into the domains: Just because the CISSP covers eight domains and CISM four, does not mean that CISSP covers twice as much material as the CISM. CISM is like a stuffed-crusted pizza. It may be smaller than a traditional pizza, but it packs the same amount of cheese.
The most significant takeaway from the domain lists is that CISSP explores technical areas that the CISM leaves unturned. From a percentages standpoint, CISM has four management-focused domains. Sub-domain topics include technical concepts, but they are sprinkled in and are not the main focus of the domain. It’s fair to say that CISM is 90% managerial and 10% technical.
CISSP, by contrast, has majority technical domains. Only one domain (or 13%) is explicitly managerial focused. The other domains have a technical core with a managerial perspective sprinkled on top. For example, the CISSP exam includes network security. CISSP candidates can expect to study network communication devices and protocols. As security professionals, CISSPs may have to configure and manage firewalls. CISMs certainly know what firewalls are, but they aren’t creating ACLs. They are busy justifying the cost of proxy and application firewalls to senior management.
CISSP will too learn the skills of persuading management. For example, in another technical CISSP Domain, Security Assessment and Testing, CISSPs will learn the details of penetration tests and other forms of security testing. They will learn the pen test process and tools. But they will also learn what to do with the results of a pen test. CISSPs will know how to package the results in a way to create a business case to senior management. They use pen tests to convince senior management for the need for security. Both CISSPs and CISMs are in the business of selling security.
Same Old Song, Just a Different Meaning
There’s another similarity between CISM and CISSP. On both exams, a very important concept is Incident Response. CISM has a whole domain devoted to it, and CISSP includes an Incident Response subdomain under Domain 7, Security Operations. But the perspective and approach each cert takes to Incident Response again demonstrates their distinct focuses.
By Incident Response, CISM means developing an Incident Response plan. A CISM would assemble an Incident Response team and ensure they have the resources they need to protect the organization in the event of a security incident. A CISM would be responsible for documenting and updating the plan and fighting for proper funding.
A CISSP may be a team lead on the Incident Response team. As a team lead, a CISSP would understand that the high-level, strategic focus of an Incident Response plan is to support the business and keep it operational in dire times. They would also have hands-on experience with the steps included in Incident Response. They would know how to quarantine an infected network device. They would be able to hash a drive to ensure integrity and chain of custody. They could also decide which backup strategies would allow for maximum data availability in the event of a security incident.
In sum, CISSPs will have the experience and know-how to ensure that the Incident Response steps, which are sketched out by a CISM, are followed.
CISSP vs. CISM. More Like CISSP & CISM
If you were reading this piece in order to get a final word on whether your next cert should be CISSP or CISM, we have good news: There is no wrong answer. Both the CISSP and CISM certs are important certs that can make you valuable to your current or prospective employers. What you should recognize is that if you really want to stand out, you should strive to have both the managerial focus of CISM and the technical skills of CISSP.
Management and security are like bread and butter. It’s rare to find someone housing just a bread basket, and it’s odd to find someone shoveling just a stick of butter into their mouth. It’s ideal when you can combine them together. And the quest to find the perfect smattering of butter on a crispy piece of toast is the goal of every CISM and CISSP.