CISSP vs CISM – Which is better?

Interested in getting certified to further your career, but unsure which path to take, CISSP vs CISM? Let’s take a look at the two certifications and see which is better.

Supply vs Demand

When contemplating our careers, we need take the Supply-Demand curve into account.

ISACA claims 40,000 CISM professionals, while ISC2 claims 130,000 CISSP professionals. So as far as supply goes, there’s much fewer CISM professionals to compete with. CISM wins the supply argument.

However, there are currently three times the number of job listings for CISSPs (in the USA) than there are for CISMs. So the CISSP wins the demand side of the equation.

If you look at the actual numbers though, there are just over 13,000 CISSP jobs posted nationally. That means if every CISSP looked for a job today, only 10% would get hired. On the other hand, there are 4,500 CISM jobs posted nationally, so if every CISM looked for a job today, 11.25% would get hired. CISM job postings to CISM professionals are nearly identical to the CISSP.

But we still need to look at two other things. Does one pay substantially more than the other, and is one substantially more costly or time consuming to obtain than the other.

CISSP vs CISM Salary

As far as salary goes, let’s look at Washington, DC (ground zero for InfoSec jobs.) The minimum starting salary is $90,000 for a CISSP and $90,000 is the low end for the CISM. A tie.

If we look at another huge employment center (and more costly) NYC has a minimum salary of $105,000 for the CISSP and $105,000 for the CISM. Another tie.

San Francisco is $100,000 for the CISSP and $107,000 for the CISM. So slight advantage to the CISM.

Chicago is $90,000 for the CISSP and $90,000 for CISM, another tie.

As far as salary is concerned, it’s basically a tie for starting salary. Obviously your experience in the security realm can get you more than the starting salary. The average national CISSP salary for 2019 is about $120,000, and $130,000 for a CISM.

CISSP vs CISM Certification Requirements

  • Both require 5 years of experience
  • Both require 120 hours of CPE credits every 3 years
  • Both have near identical annual fees
  • The CISM exam has 200 questions while the CISSP has 100-150 (adaptive testing)
  • There are 8 CISSP domains while the CISM has 4
  • CISSP exam cost is $699 vs CISM exam cost of $595 (cheaper if ISACA member)

In the olden days, the CISSP was a paper test of 250 questions covering 10 domains, and it was only given a couple times a year. The domains have been reduced to 8, and they use adaptive testing now, so if you really know your stuff, it’s only 100 questions. Additionally, because it’s computer based, you can take it whenever you want, you no longer have to wait up to six months and sit in a room with a hundred other people to take in. (In my opinion this is what has led to the loss of it’s cache. Having a CISSP used to be a big deal, now it seems as common as the MCSE was in the 90s.) The .

The CISM is geared more towards governance, hence the “Manager” part of the title, whereas the CISSP is a bit more technical (although I would say the SANS GIAC is the way to go if you really want a technical security certification.) The CISSP still has a fair amount of administrative knowledge relative to true hands on technical knowledge.

If you want both and are wondering if you should get the CISSP or the CISM first, the answer is most likely the CISSP.

So which is better? Since the salaries are close and both titles are in demand, it largely depends on your role. If you’re at the beginning of your career, the CISSP is more widely known, so that may carry more weight. (If you have no experience at all, then you may consider starting with a CompTIA certification first.) If you are already in management or looking for a management position, then the CISM is probably the better option for you. Either way, you can’t go wrong.