+ Reply to Thread
Results 1 to 17 of 17

Thread: CISM vs CISSP

  1. Junior Member
    Join Date
    Sep 2009
    Posts
    21
    #1

    Default CISM vs CISSP

    Can anyone express thier personal opinion on the The Certified Information Security Manager (CISM) certification exam. I recently passed the CISSP exam and I'm trying to get some kind of comparison between the two.

    Thanks in advance
    Stoked64
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Jun 2007
    Posts
    145

    Certifications
    CISA,CISM,CISSP-ISSAP, CRISC,ITIL Expert (v3), MCITP:some,MCSE:S, MCSA:M,CCNA,JNCIA, TOGAF 8&9, MSP,Security+
    #2
    Some common themes.

    CISSP is a shallow level across a broad spectrum of technical InfoSec domains.

    CISM is more focussed on processes to manage risk in the InfoSec arena. CISA is similar but focusses on the audit aspect.

    CISSP is good to substantiate other technical skills/certs to show an employer that you are well versed in more than just a single vendor technology stack. CISM is for somebody aiming for, or in a management position (less hands on technically on a day to day basis).

    Having both can be useful. If you want techie only. CISSP + whatever. If you want an InfoSec management or Risk Management role, then CISM. If you like to check other people are doing their job.... CISA!

    IMHO.
    Reply With Quote Quote  

  4. Senile old fart laidbackfreak's Avatar
    Join Date
    Oct 2007
    Location
    wandering t'internet
    Posts
    991

    Certifications
    CISSP, CCVP, CCNAV, CCNAS, CCNA
    #3
    Quote Originally Posted by Fugazi1000 View Post
    Some common themes.

    CISSP is a shallow level across a broad spectrum of technical InfoSec domains.

    CISM is more focussed on processes to manage risk in the InfoSec arena. CISA is similar but focusses on the audit aspect.

    CISSP is good to substantiate other technical skills/certs to show an employer that you are well versed in more than just a single vendor technology stack. CISM is for somebody aiming for, or in a management position (less hands on technically on a day to day basis).

    Having both can be useful. If you want techie only. CISSP + whatever. If you want an InfoSec management or Risk Management role, then CISM. If you like to check other people are doing their job.... CISA!

    IMHO.
    cheers nice Interpretation
    Reply With Quote Quote  

  5. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,615
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #4
    Note that the CISA and CISM, like the CISSP, are professional certs that one obtains after gaining years of InfoSec work experience. People tend to misjudge these certs as something to help them break into InfoSec-related auditing or management, but they are not.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  6. Junior Member
    Join Date
    Sep 2008
    Posts
    2
    #5
    Quote Originally Posted by JDMurray View Post
    Note that the CISA and CISM, like the CISSP, are professional certs that one obtains after gaining years of InfoSec work experience. People tend to misjudge these certs as something to help them break into InfoSec-related auditing or management, but they are not.
    What kind of experience is required for CISM ? Do you need to be manager for 5 years ?

    Please explain.
    Reply With Quote Quote  

  7. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,615
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #6
    Refer to the Work Experience section in Requirements for CISM Certification.


    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Jul 2009
    Posts
    2,056

    Certifications
    Beer+
    #7
    Who decides if your work qualifies?

    I mean as a sys admin I constantly impliment security features/solutions like SSL certificates, managing AD which uses Kerberos, VPN dual factor authentication using a hardware token, etc.

    Does that qualify as security work?
    Reply With Quote Quote  

  9. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,615
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #8
    CISM is an ISACA certification, so ISACA decides.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  10. Senior Member teancum144's Avatar
    Join Date
    Jun 2012
    Location
    Pacific Northwest, USA
    Posts
    227

    Certifications
    CISSP, CISA, CPA (inactive), Network+, Security+
    #9
    Sitting through a CISM review course confirmed my decision to pursue the CISSP. The CISM is definitely not a roll up your sleeves and dig into IT. It is a very fuzzy, risk and controls type certification. Having the CISA from ISACA (the same organization that sponsors the CISM), I'm not overly impressed. The CISSP covers risks and controls quite well. The AIO CISSP book discusses COBIT and provides context for it among all the relevant frameworks. I have a hard time understanding why anyone would prefer the CISM over the CISSP -- unless they are trying to avoid getting too techy. Regarding the management angle, perhaps there is a perception that it better prepares you for management, but IMO that perception doesn't reflect reality. Then again, if that perception is widely held by hiring managers, there may be a benefit, but that is the only benefit I see. From a pure knowledge perspective (from what you study), I believe the CISSP provides more value.
    Last edited by teancum144; 10-28-2013 at 05:21 PM.
    Reply With Quote Quote  

  11. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,615
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #10
    The CISM is specifically for InfoSec managers, while the CISSP is targeted to a much wider variety of InfoSec professionals. I consider the CISSP/CISA/CISM to be complementary to each other rather than exclusive.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  12. Member
    Join Date
    Apr 2013
    Location
    Singapore
    Posts
    40

    Certifications
    CISSP-ISSAP, CISM, CISA, ITIL-F, ISO27002, RHCI, RHCE, RHCT, MCT, MCSE: Security, MCSA: Security, MCSA: Server 2012
    #11
    Quote Originally Posted by JDMurray View Post
    The CISM is specifically for InfoSec managers, while the CISSP is targeted to a much wider variety of InfoSec professionals. I consider the CISSP/CISA/CISM to be complementary to each other rather than exclusive.
    I second that!
    Reply With Quote Quote  

  13. Junior Member Registered Member
    Join Date
    Jan 2014
    Posts
    2
    #12
    how is CISM different from CRISC though? i just passed CISA and i'm considering either CISM, CRISC, CISSP, or CIA. thanks for any input!
    Reply With Quote Quote  

  14. Member wikiget's Avatar
    Join Date
    May 2013
    Location
    US
    Posts
    75

    Certifications
    CASP, Security+, Server+, MCP, AAS-Applied Computer Systems
    #13
    Quote Originally Posted by Grief_Indoor View Post
    how is CISM different from CRISC though? i just passed CISA and i'm considering either CISM, CRISC, CISSP, or CIA. thanks for any input!
    CISM is about managing security, setting up a security program, risk management and managing incidents.

    CRISC is a deeper understanding of risk, risk reporting, risk monitoring, and continuous monitoring.
    Reply With Quote Quote  

  15. Junior Member Registered Member
    Join Date
    Feb 2016
    Posts
    1
    #14
    Which exam to take first? CISM or CISSP?
    Reply With Quote Quote  

  16. Senior Member
    Join Date
    Apr 2014
    Location
    South Florida
    Posts
    857

    Certifications
    CISSP, CISM, CISA, CRISC
    #15
    Quote Originally Posted by ameetng View Post
    Which exam to take first? CISM or CISSP?

    doesnt matter take anyone you feel comfortable doing first. one is not a continuation of the other! Its like looking at a red and a blue bicycle asking which one should you ride first.
    Reply With Quote Quote  

  17. Member
    Join Date
    Jan 2017
    Posts
    34
    #16
    If you are eventually looking to get both CISSP and CISM it makes much more sense to get the CISSP first as it can be used to satisfy a prerequisite for applying for the CISM after you pass the test.
    Reply With Quote Quote  

  18. Senior Member coffeeisgood's Avatar
    Join Date
    Apr 2016
    Location
    padded walls surround & protect me
    Posts
    132

    Certifications
    CISSP, CISA, CISM, Sec+
    #17
    I studied harder for the CISSP but then snowballed the CISA & the CISM all within 6 months
    there is some overlap
    that said, I thought the CISSP actual test was harder
    with the CISA / CISM you MUST use ISACA's official QAE database. Seriously

    just read somewhere that CISM is valued more than the CISSP in actual $$$, whatever... i got all 3 so meh

    best question i heard about to prepare for a future interview
    The interviewer hands you a dry erase marker, directs you to a white board & asks you to white board something your passionate about
    (anything! its that open ended) Not only would I prepare myself for that question/activity, the next time I interview someone, I am going to use that!
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks