Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

CISM vs. CISSP Certification: Which One is Best for You?

CISM and CISSP are two of the most highly regarded certifications for cybersecurity leaders and practitioners, but their requirements aren’t trivial. Both require a significant investment of time and money – so It’s important to determine which is right for you. Take a look at our comparison of the two to learn more.
Michael Buckbee
3 min read
Published March 29, 2020
Last updated February 24, 2022

It’s a perfect time to be CISM or CISSP certified, or have any cybersecurity certification: according to Gartner, the unemployment rate for cybersecurity professionals is zero – as in there isn’t an unemployment rate. In fact, there are more jobs than qualified candidates, and the job postings stay open for a long time.

CISM and CISSP are two of the most highly regarded certifications for cybersecurity leaders and practitioners, but their requirements aren’t trivial. Both require a significant investment of time and money – so It’s important to determine which is right for you. Take a look at our comparison of the two below to help you make a decision.

Get the Free Pentesting Active
Directory Environments e-book

CISM (Certified Information Security Manager)

CISM (pronounced siz-zm) is a certification offered by ISACA that validates your knowledge and expertise in managing enterprise information security teams. Getting CISM certified puts you in high demand with employers around the world that recognize the achievement and capability CISM certification represents. CISM shows that you have an all-around knowledge of technical competence and an understanding of business objectives around data security.

Becoming CISM certified is a multi-step process. You need a passing score on the CISM exam, which is a 200-question multiple-choice test that covers these topics:

  • Information security management
  • Information risk management and compliance
  • Information security program development and management
  • Information security incident management

You also need a minimum of 5 years of information security work within the 10 years prior to your certification, and 3 of those 5 years need to be in management. There are some acceptable substitutions – a CISSP certification, for example, can count as 2 years of experience.

And lastly, there is a continuing education policy. To maintain your certification, you need 20 CPE credits per year, 120 CPEs over 3 years, and a commitment to adhere to a Code of Professional Ethics.

The ISACA offers CISM exam prep materials and sample questions for sale on their website. They also run training events and exam bootcamps all over the world.

CISSP (Certified Information Systems Security Professional)

CISSP (pronounced C-I-S-S-P) is another highly regarded information security certification, offered by (ISC)2. CISSP certification proves you have the expertise to design, implement, and manage a cybersecurity program.

Similar to CISM, CISSP is a certification typically geared towards experienced security practitioners in management or executive positions, but also pursued by experienced security analysts and engineers. CISSP certified analysts are in high demand and highly paid compared to other IT certifications.

The CISSP certification process requires that you meet several criteria: first, you need to pass a candidate background check. You also need 5 years of experience as a security professional in 2 of the 8 domains in the (ISC)2 Critical Body of Knowledge (CBK). Those areas are:

CISSP certification process checklist

  • Security and risk management
  • Asset security
  • Security engineering
  • Communication and network security
  • Identity and access management
  • Security assessment and testing
  • Security operations
  • Software development security

If you do not satisfy the work experience requirement, you can join as an Associate of (ISC)2, which requires a shorter test and qualifies you for ongoing training as a member of (ISC)2. This program is a good intermediate step towards a full CISSP.

Assuming you have the appropriate work experience, you then need to pass a 250-question test within a 6-hour time limit. (ISC)2 updated the exam in April of 2018, but not so much that the older preparation materials are outdated. The test includes questions from all 8 domains of the CBK.

Once you pass the test, you need an endorsement from a current (ISC)2 member in good standing. Hopefully, you know a current CISSP.

To maintain your certification, you need to maintain your membership status with (ISC)2. Members must pay their annual membership fees and earn 120 CPEs per 3 years.

CISM or CISSP? Which is Best for Me?

If you are in infosec or looking to move into infosec, it’s a good idea to get some kind of certification. Which one you get first depends on several factors. Some people get both. Most people get CISSP first and then get their CISM afterwards, but it doesn’t make a difference what order you get them. Here are a few other factors that might help you make a decision:

  • Salaries are comparable between the two certifications
  • There are 8,906 CISM jobs listed on LinkedIn
  • There are 21,714 CISSP jobs listed on LinkedIn

CISM and CISSP both require a certain number of CPE credits to maintain your certification. There are several ways you can earn CPE credits – you can attend webinars on cybersecurity topics, attend conferences, or attend local CISSP or CISM meetings. You can also earn credits by volunteering for some cybersecurity events and mentoring other members. CISM and CISSP have their own guidance and you should familiarize yourself with them and prepare for the commitment to maintain your certification as part of the decision on which path to follow.

Varonis provides free security training including several CPE eligible videos courses that cover a range of topics – from PowerShell and Active Directory Essentials with Adam Bertram to Web Security Fundamentals with Troy Hunt. We also run CPE-eligible webinars throughout the year, with topics on Insider Threats, GDPR compliance, HIPAA compliance, Office 365 Security Best Practices, Securing Active Directory, and more.

Probably the most important question you need to ask is “what are your long term career goals?” Are you looking to become a CISO or infosec executive? You should look into CISM. Are you planning on a long career as a security engineer? CISSP might be the better choice. It’s not uncommon to get one and complete the other certification at a later time.

Regardless of which certification you choose to pursue, you are doing both yourself and your infosec career a huge favor. Both options open the door to salary advancement, new positions, and new professional challenges. Whether you start with CISM or CISSP, you can be confident you’re making a sound career decision.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

what-is-itar-compliance?-definition-and-regulations
What is ITAR Compliance? Definition and Regulations
Learn more about ITAR compliance, requirements, and penalties. Find the definition, detail of regulations, types of defense articles, and more from Varonis.
the-top-skills-of-fortune-100-cisos
The Top Skills of Fortune 100 CISOs
What does it take to become a top CISO? We analyzed CISOs of Fortune 100 companies to find the most common skills and educational background of the world's top cybersecurity leaders today.
ccsp-vs.-cissp:-which-one-should-you-take?
CCSP vs. CISSP: Which One Should You Take?
Get an overview of the CCSP and CISSP exams and learn which certification is best for you and your career.
cybersecurity-laws-get-serious:-eu’s-nis-directive
Cybersecurity Laws Get Serious: EU’s NIS Directive
In the IOS blog, our cyberattack focus has mostly been on hackers stealing PII and other sensitive personal data. The breach notification laws and regulations that we write about require...