CISM / CISSP / CISA - Which certification for moving to IT Security field?

I have 10+ years experience in IT Support + Software Testing (Manual). I am currently preparing for PRINCE 2 certification and wish to move towards management side of things. At the same time I am also interested in IT Security. I only have have intermediate level networking knowledge. Also no scripting experience.

Is it Ok to directly go for CISM? How difficult is this exam?

Or should I go for some other certification like CISA which would let me apply for roles IT Auditor ?

Appreciate any help in this regard...

Find more posts tagged with

cissp

CISA

CISM

IT security

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

mikey88

testlink said:

Is it Ok to directly go for CISM? How difficult is this exam?

Or should I go for some other certification like CISA which would let me apply for roles IT Auditor ?

Appreciate any help in this regard...

Can you expend more on your experience? The certifications you listed require 5 years of InfoSec experience.

testlink

• Anti-Virus and Web/Mail usage monitoring using Webmarshal & Mailmarshal

• Support to Siemens HI-Path 4000 Phone system and HiMed bedside entertainment system

• VPN and RSA SecureId token setup

• Network Maintenance, Network Printer Support, Cabling, Patching

• Windows Server Active Directory (AD) Management

• Network Maintenance, Network Printer Support, Cabling, Patching

• Technical Documentation of various IT procedures

• Building Windows test servers on Hyper-V and VMware

JDMurray

You can take and pass any or all of these cert exams tomorrow, but passing alone won't get you the full certifications. The CISSP requires several years of professional, verifiable InfoSec experience. The CISM requires several years of professional, verifiable InfoSec management (of people, not things) experience. The CISA requires several years of professional, verifiable IT auditing experience. There is a possibility that an employer would only care that you have passed the exam(s) and do not have the actual cert(s), but you would still not have the experience for the job. I don't see anything listed in your bullets that indicates you have the experience required for these certs.

testlink

So what certification, should I start with to move towards IT security? Again I have only basic networking skills + No scripting expr.

Danielm7

Check the CISSP requirements, map your experience against the domains there and see if what you'e done matches up and that you can prove it to ISC2 if needed through an audit.

https://www.isc2.org/Certifications/CISSP/experience-requirements#

kaiju

Requirements for CISM

Requirements for CISA

After reading the requirements for CISA, CISM, and CISSP you should be able to decide which certification is good for you.

testlink

Thanks...

lucky0977

testlink said:

So what certification, should I start with to move towards IT security? Again I have only basic networking skills + No scripting expr.

Why did you not mention Security+ (should I assume you already have that)? That will give you the foundational knowledge required for CISSP or CISM.
Take a look at the 8 domains of the CISSP and the 5 domains of CISM and the experience requirements. They don't explicitly state this but they expect you to have some foundational security related knowledge prior to taking their exams. You'll know what I'm talking about when you take their exams. You'll take the exam and read the questions over and over again and think to yourself "Hey I'm pretty sure I've never read this before in any of the textbooks".