CISM or CISSP: which security certification is for you?

The rapidly evolving threat landscapes of today (and the future) presents us with more and costlier data breaches, and highlights a particularly critical issue: Shortage of IT security personnel. 

IT security tops the list of IT decision makers’ in-demand skills for their teams. According to the 2016 IT Skills and Salary Report by Global Knowledge, one in three IT decision makers reported having difficulty finding skilled talent to fill cybersecurity positions. Furthermore, cybersecurity remains the top technological area of interest for 2016 (43%).

The International Information System Security Certification Consortium [(ISC)2] Foundation estimates that the shortfall of information security professionals will grow to 1.5 million people by 2020. 

Unsurprisingly, the growing demands for information security professionals result in more people picking up certifications in the IT security field. Two of the more popular certifications include the CISM (Certified Information Security Manager) certification and the CISSP (Certified Information Systems Security Professional) certification.


The CISM certification is awarded by ISACA, and covers the following domains: Information Security Governance, Information Risk Management, Information Security Program Development and Management, and Information Security Incident Management.

The CISSP certification, backed by (ISC)2, covers Security and Risk Management, Asset Security, Security Engineering, Communication and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security.

There are several key differences between the two certifications. 

CISM is geared more towards the management and strategic side of information security. It covers technical topics in a less thorough manner, and emphasizes the relationship between business goals of the enterprise and information security. It is business-oriented, and focuses on risk management while addressing the technical security issues at a corporate level. It is not uncommon for IT security directors and managers, CIOs, CEOs and CFOs to pursue CISM certifications.

On the other hand, CISSP encompasses a more technical approach. It addresses the tactical aspects of security operations and covers critical security topics in-depth. There is a greater focus on the technical running of information security and threat response. Professionals taking the CISSP exam typically include IT security practitioners such as security consultants, analysts, systems engineers, network architects or aspiring CISOs. 

Making the choice

How then, should one select which certification to undertake? 

Ultimately, you should pursue the one that aligns with your long-term career goals. 

CISM would be more appropriate for individuals that are inclined towards the business side of enterprise security management. It is for people who have a penchant for managing an organization’s information security programs. 

For professionals who are more hands-on and technically oriented, you should consider picking up the CISSP certification. It is ideal for those who want to develop skills in designing, engineering and implementing information security programs.

Either way, it is interesting to note that CISM and CISSP complement each other and should not be seen as mutually exclusively. Many professionals hold both certifications, and it is advisable to take CISSP first in order to build a better technical understanding of cybersecurity before looking at it at a macro, managerial level and pursuing the CISM certification. 

As security attacks continue to evolve, organizations’ demands for certified information security professionals will progressively grow, and it is no surprise that the fastest-growing certifications in the IT industry will continue to be from the security sphere.