General discussion


CISM Vs CISSP - more granular discussion

By aafoo69 ·
People keep me asking what's the difference between CISSP and CISM and which one is more valuable to have?

I'm posting my opinion here for the folks to provide them a basis for their decision.

When asked about the above question, I usually tell people that the difference is in focus. Though I'm not CISSP and rather I'm CISM and CISA certified but I'm not biased though toward CISM and/or CISA. I would like to do a fair comparison of the two just to help people decide where they want to go. As far as I have evaluated, CISSP focuses on the operational side of the security while CISM (and even CISA) focuses on the strategic side of the security. CISSP is more suitable for technical folks while CISM is suitable for folks in the "management" side of the security. CISM talks about IT Governance frameworks and it's focus is a bit higher than CISSP that's why CISSP has 10 domains while CISM has almost half!

Though CISSP also talks about the laws/acts like GLBA, SOX, etc. but what about the process maturity measurements (CMMI), business scorecards and risk management methodologies like OCTAVE and CoBIT? CISSP does not talk about that. CISSP is tactical while CISM is strategic. CISM talks about the Senior Management roles and responsibilities in the context of IT governance framework, it talks about strategic alignment, value delivery, business process assurance, resource utilization, performance measurement, other stuff like gap analysis, managed/outsourced security service and Information security program management which is in fact using a project management approach. CISM talks and focuses about information security where as CISSP (though it also talks about it) focuses on IT security which is a subset of the information security. So, which one is better depends upon your career goals. But ultimately, most people want to move toward the "management" side.

I have seen some posts saying that CISSP helps in CISM/CISA while the reverse doesn't. I agree to it partially as a person?s background also counts. For a person who is from an accounting or auditing background like CPA or CA, digesting technical knowledge is usually hard but if a person is an IT graduate, for him it doesn?t make a big difference. CISSP develops your base in technical aspects but not in management aspects. CISSPs learn these skills over a period of time through experience while it's right there in CISM. Though CISM is relatively new than CISSP and as a matter of fact, more jobs list CISSP (making people to say ?CISSP is widely recognized?). The difference in CISSP and CISM is being realized now and CISM is appearing in job requirements but from salary point of view, CISM is at least equally good but in terms of focus, it is higher to CISSP.

Both CISSP & CISM are ANSI Accredited under ISO/IEC 17024 (also PMP, CISA, CPP are accredited while CGEIT is not yet accredited). For people, it could be valuable to hold both CISSP and CISM and if you are planning to take both, taking CISSP first and then CISM makes sense.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Nice overview and quick ?

by j.depalma In reply to CISM Vs CISSP - more gran ...

Thanks for the comparison and overview...I have been in information technology and infosec for 20+ years. I agree CISSP differs from CISA/CISM more I think in terms of technical not operational. I am not CISSP certified - did sit for the 10 CBK's though and found it to be very theoretical with not alot of practicality. I am currently evaluating whether I should pursue CISA/CISM or the CGEIT. I consult mostly now on ISO 27002 frameworks and governance - can you offer insights on CGEIT?

Related Discussions

Related Forums