I was browsing through a certification forum when I read a question asking for the differences between CISSP, the CISM, and the CISA. Someone responded saying the CISM and CISA were one and the same. I was shocked, stunned, and amazed. Worst was how confidently the responder labeled the CISM as just another auditor certification. That’s so wrong; the CISM is not the CISA. I wrote this article to educate those around us who confuse the two.
Comparing Elevator Speeches
You know what an elevator speech is, right? That’s the “sales pitch” you can deliver in a fairly short time, like say, while sharing an elevator with someone.
For the Certified Information Systems Auditor certification, its elevator speech may sound something like “The CISA is recognized around the world as the premier IT systems auditor credential with about 80,000 having earned it since CISA started 30 years ago.”
Compare that to what a CISM holder may say: “The Certified Information Security Manager is an intermediate level or higher qualification for those seeking to excel in information security management and information risk management.”
Both certifications are far from entry level, since they both require candidates to have five years of relevant experience. Although the CISA allows partial waivers, most popularly from university education, a CISM candidate must have not only 5 years of experience, but 3 of those 5 must be direct information security management-related.
If you’re looking for similarities between the exams, both allot up to f hours to finish the 200 questions on either exam. Both exams cover a known arrangement of topic (5 for the CISM, 6 for the CISA). For more on those topics, candidates can visit the ISACA website to review each exam’s task and knowledge statements in great detail. However, this article shows how the certifications treat you in the real world.
When You’ll Find CISM & CISA in Job Positions
Employed or not, many of us browse job positions. We take notice when we see “must have XYZ credential” or “XYZ is strongly preferred,” especially when the credential is one we have.
But wouldn’t it be also useful to know what jobs want the credential you’re thinking of getting? A credential is best put to use when you know what jobs are best suited for it. Let’s look at what sorts of jobs require the CISA and the CISM.
First, let’s be clear on the level of positions where CISA and CISM work best. The CISA is for auditors, particularly those who practice their art. By comparison, the CISM is not for practitioners. To borrow ISACA’s own words: the CISM is for “the individual who has progressed beyond the practitioner focus, whose emphasis is no longer technical or specialist skills, and who has moved on to the management of an enterprise's information security program.”
Remember this key difference of position level. In short, the CISA is for those “hands-on” auditors, while the CISM is for managers of hands-on information security specialists.
When will we see CISA?
CISA is the IT auditors’ credential. Companies ask for CISA-certified individuals when the job requires knowledge and skills in IT auditing, controls, and often, information security.
Job descriptions often involve finance, accounting, maintaining regulatory compliance, and most often equate to plainly auditing the IT infrastructure. When it comes to regulatory compliance, the CISA holder may audit SOX, HIPAA, GLBA, or NIST Special Publication 800, and FISMA for US government agencies. So knowledge and experience of those regulations or standards can be extremely useful.
When will we see CISM?
CISM is the information security manager’s credential. Companies ask for CISM-certified individuals when the job requires management of information security, information risk management, disaster planning, business continuity, and often enterprise architecture.
Job descriptions often involve program or project management, policy and standards development, information assurance, and assuring compliance. CISM holders should have a security background in one or more technical areas, such as network and perimeter security or systems hardening.
When will we see both CISA and CISM?
Often. Companies asking for one will often tack on the other. While common and beneficial for the sake of gathering interview leads, lumping together CISA and CISM can be misguiding for interviewees. Of course, having both certifications easily solves this problem as well as making you extraordinarily qualified for a wider range of positions.
The certified individual knows best his or her own qualifications. He or she can easily judge by matching experience against the job position. Lastly, during the interview everyone will better understand how experience and knowledge fit that particular job’s responsibilities.
Where the CISSP Complements Well, and Where it Complements Best
The Certified Information Systems Security Professional (CISSP) certification is arguably the most popular information security certification. The number of cert holders is above 63,000 worldwide today.
According to a job watch site for IT professionals, the CISSP credential is mentioned in more than 19 out of 20 job listings for CISM holders! By comparison, the CISSP is mentioned in fewer than 16 out of 20 listings for the CISA. The smart harmony of the CISSP and CISM is the reason you almost always see both certifications requested in job descriptions.
There is a special harmony between the CISSP and the CISM. While the CISM is geared toward management, the CISSP is more of a “hands-on” certification. And while the CISSP is not as technical as say, most of SANS Institute’s GIAC certifications, the CISSP assures an employer the holder has a broad and somewhat deep understanding of information security as a whole.
Finally, enter the CISM certification[md]intended for information security professionals on the management track. It’s safe to say that CISM holders who also hold the CISSP are solidly equipped to make well-informed information security management decisions. And companies know this.
The two certifications target different professionals, offer different promise for people on different career paths. The CISA is for IT auditors, while the CISM is for IT security managers and information risk managers. It’s plain to see the CISA and CISM are not alike and shouldn’t be considered so.
However, we also saw that cross certifying, or complementing with the CISSP, can make you especially valuable. By reading job positions carefully, we better understand what the job responsibilities are. Therefore, we know what background and certifications will serve us as applicants best.