CISM vs. CISSP Certification: Which One is Best for You?

CISM and CISSP are two of the most highly regarded certifications for cybersecurity leaders and practitioners, but their requirements aren’t trivial. Both require a significant investment of time and money – so It’s important to determine which is right for you. Take a look at our comparison of the two to learn more.
Michael Buckbee
3 min read
Last updated February 24, 2022

It’s a perfect time to be CISM or CISSP certified, or have any cybersecurity certification: according to Gartner, the unemployment rate for cybersecurity professionals is zero – as in there isn’t an unemployment rate. In fact, there are more jobs than qualified candidates, and the job postings stay open for a long time.

CISM and CISSP are two of the most highly regarded certifications for cybersecurity leaders and practitioners, but their requirements aren’t trivial. Both require a significant investment of time and money – so It’s important to determine which is right for you. Take a look at our comparison of the two below to help you make a decision.

Get the Free Pentesting Active
Directory Environments e-book

CISM (Certified Information Security Manager)

CISM (pronounced siz-zm) is a certification offered by ISACA that validates your knowledge and expertise in managing enterprise information security teams. Getting CISM certified puts you in high demand with employers around the world that recognize the achievement and capability CISM certification represents. CISM shows that you have an all-around knowledge of technical competence and an understanding of business objectives around data security.

Becoming CISM certified is a multi-step process. You need a passing score on the CISM exam, which is a 200-question multiple-choice test that covers these topics:

  • Information security management
  • Information risk management and compliance
  • Information security program development and management
  • Information security incident management

You also need a minimum of 5 years of information security work within the 10 years prior to your certification, and 3 of those 5 years need to be in management. There are some acceptable substitutions – a CISSP certification, for example, can count as 2 years of experience.

And lastly, there is a continuing education policy. To maintain your certification, you need 20 CPE credits per year, 120 CPEs over 3 years, and a commitment to adhere to a Code of Professional Ethics.

The ISACA offers CISM exam prep materials and sample questions for sale on their website. They also run training events and exam bootcamps all over the world.

CISSP (Certified Information Systems Security Professional)

CISSP (pronounced C-I-S-S-P) is another highly regarded information security certification, offered by (ISC)2. CISSP certification proves you have the expertise to design, implement, and manage a cybersecurity program.

Similar to CISM, CISSP is a certification typically geared towards experienced security practitioners in management or executive positions, but also pursued by experienced security analysts and engineers. CISSP certified analysts are in high demand and highly paid compared to other IT certifications.

The CISSP certification process requires that you meet several criteria: first, you need to pass a candidate background check. You also need 5 years of experience as a security professional in 2 of the 8 domains in the (ISC)2 Critical Body of Knowledge (CBK). Those areas are:

CISSP certification process checklist

  • Security and risk management
  • Asset security
  • Security engineering
  • Communication and network security
  • Identity and access management
  • Security assessment and testing
  • Security operations
  • Software development security

If you do not satisfy the work experience requirement, you can join as an Associate of (ISC)2, which requires a shorter test and qualifies you for ongoing training as a member of (ISC)2. This program is a good intermediate step towards a full CISSP.

Assuming you have the appropriate work experience, you then need to pass a 250-question test within a 6-hour time limit. (ISC)2 updated the exam in April of 2018, but not so much that the older preparation materials are outdated. The test includes questions from all 8 domains of the CBK.

Once you pass the test, you need an endorsement from a current (ISC)2 member in good standing. Hopefully, you know a current CISSP.

To maintain your certification, you need to maintain your membership status with (ISC)2. Members must pay their annual membership fees and earn 120 CPEs per 3 years.

CISM or CISSP? Which is Best for Me?

If you are in infosec or looking to move into infosec, it’s a good idea to get some kind of certification. Which one you get first depends on several factors. Some people get both. Most people get CISSP first and then get their CISM afterwards, but it doesn’t make a difference what order you get them. Here are a few other factors that might help you make a decision:

  • Salaries are comparable between the two certifications
  • There are 8,906 CISM jobs listed on LinkedIn
  • There are 21,714 CISSP jobs listed on LinkedIn

CISM and CISSP both require a certain number of CPE credits to maintain your certification. There are several ways you can earn CPE credits – you can attend webinars on cybersecurity topics, attend conferences, or attend local CISSP or CISM meetings. You can also earn credits by volunteering for some cybersecurity events and mentoring other members. CISM and CISSP have their own guidance and you should familiarize yourself with them and prepare for the commitment to maintain your certification as part of the decision on which path to follow.

Varonis provides free security training including several CPE eligible videos courses that cover a range of topics – from PowerShell and Active Directory Essentials with Adam Bertram to Web Security Fundamentals with Troy Hunt. We also run CPE-eligible webinars throughout the year, with topics on Insider Threats, GDPR compliance, HIPAA compliance, Office 365 Security Best Practices, Securing Active Directory, and more.

Probably the most important question you need to ask is “what are your long term career goals?” Are you looking to become a CISO or infosec executive? You should look into CISM. Are you planning on a long career as a security engineer? CISSP might be the better choice. It’s not uncommon to get one and complete the other certification at a later time.

Regardless of which certification you choose to pursue, you are doing both yourself and your infosec career a huge favor. Both options open the door to salary advancement, new positions, and new professional challenges. Whether you start with CISM or CISSP, you can be confident you’re making a sound career decision.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

PCI DSS Explained: Our New White Paper Decodes the Complexity
The Payment Card Industry Data Security Standard (PCI DSS) is not just another list of requirements for protecting data. In 2013, the number of credit and debit card transactions worldwide...
SIEM Tools: 9 Tips for a Successful Deployment
Security Information and Event Management (SIEM) tools are an essential part of a modern enterprise’s information security program, but careful planning and implementation are required in order to get the…
What is ITAR Compliance? Definition and Regulations
Learn more about ITAR compliance, requirements, and penalties. Find the definition, detail of regulations, types of defense articles, and more from Varonis.
How Varonis Helps Agencies Avoid the Pain and Penalties of Public Record Requests
Freedom of Information (FOI) requests are one of the ways that public organizations are held accountable by the media and the members of the community they serve. FOI laws require...