CISM vs CISSP

stoked64

Can anyone express thier personal opinion on the The Certified Information Security Manager (CISM) certification exam. I recently passed the CISSP exam and I'm trying to get some kind of comparison between the two.

Thanks in advance
Stoked64

Fugazi1000

Some common themes.

CISSP is a shallow level across a broad spectrum of technical InfoSec domains.

CISM is more focussed on processes to manage risk in the InfoSec arena. CISA is similar but focusses on the audit aspect.

CISSP is good to substantiate other technical skills/certs to show an employer that you are well versed in more than just a single vendor technology stack. CISM is for somebody aiming for, or in a management position (less hands on technically on a day to day basis).

Having both can be useful. If you want techie only. CISSP + whatever. If you want an InfoSec management or Risk Management role, then CISM. If you like to check other people are doing their job.... CISA!

IMHO.

laidbackfreak

Fugazi1000 wrote: »

Some common themes.

CISSP is a shallow level across a broad spectrum of technical InfoSec domains.

CISM is more focussed on processes to manage risk in the InfoSec arena. CISA is similar but focusses on the audit aspect.

CISSP is good to substantiate other technical skills/certs to show an employer that you are well versed in more than just a single vendor technology stack. CISM is for somebody aiming for, or in a management position (less hands on technically on a day to day basis).

Having both can be useful. If you want techie only. CISSP + whatever. If you want an InfoSec management or Risk Management role, then CISM. If you like to check other people are doing their job.... CISA!

IMHO.

cheers nice Interpretation

JDMurray

Note that the CISA and CISM, like the CISSP, are professional certs that one obtains after gaining years of InfoSec work experience. People tend to misjudge these certs as something to help them break into InfoSec-related auditing or management, but they are not.

Praks

JDMurray wrote: »

Note that the CISA and CISM, like the CISSP, are professional certs that one obtains after gaining years of InfoSec work experience. People tend to misjudge these certs as something to help them break into InfoSec-related auditing or management, but they are not.

What kind of experience is required for CISM ? Do you need to be manager for 5 years ?

Please explain.

JDMurray

Refer to the Work Experience section in Requirements for CISM Certification.

Hyper-Me

Who decides if your work qualifies?

I mean as a sys admin I constantly impliment security features/solutions like SSL certificates, managing AD which uses Kerberos, VPN dual factor authentication using a hardware token, etc.

Does that qualify as security work?

JDMurray

CISM is an ISACA certification, so ISACA decides.

teancum144

Sitting through a CISM review course confirmed my decision to pursue the CISSP. The CISM is definitely not a roll up your sleeves and dig into IT. It is a very fuzzy, risk and controls type certification. Having the CISA from ISACA (the same organization that sponsors the CISM), I'm not overly impressed. The CISSP covers risks and controls quite well. The AIO CISSP book discusses COBIT and provides context for it among all the relevant frameworks. I have a hard time understanding why anyone would prefer the CISM over the CISSP -- unless they are trying to avoid getting too techy. Regarding the management angle, perhaps there is a perception that it better prepares you for management, but IMO that perception doesn't reflect reality. Then again, if that perception is widely held by hiring managers, there may be a benefit, but that is the only benefit I see. From a pure knowledge perspective (from what you study), I believe the CISSP provides more value.

JDMurray

The CISM is specifically for InfoSec managers, while the CISSP is targeted to a much wider variety of InfoSec professionals. I consider the CISSP/CISA/CISM to be complementary to each other rather than exclusive.

mikeysg

JDMurray wrote: »

The CISM is specifically for InfoSec managers, while the CISSP is targeted to a much wider variety of InfoSec professionals. I consider the CISSP/CISA/CISM to be complementary to each other rather than exclusive.

I second that!

Grief_Indoor

how is CISM different from CRISC though? i just passed CISA and i'm considering either CISM, CRISC, CISSP, or CIA. thanks for any input!

wikiget

Grief_Indoor wrote: »

how is CISM different from CRISC though? i just passed CISA and i'm considering either CISM, CRISC, CISSP, or CIA. thanks for any input!

CISM is about managing security, setting up a security program, risk management and managing incidents.

CRISC is a deeper understanding of risk, risk reporting, risk monitoring, and continuous monitoring.

ameetng

Which exam to take first? CISM or CISSP?

dustervoice

ameetng wrote: »

Which exam to take first? CISM or CISSP?

doesnt matter take anyone you feel comfortable doing first. one is not a continuation of the other! Its like looking at a red and a blue bicycle asking which one should you ride first.

Sirkassad

If you are eventually looking to get both CISSP and CISM it makes much more sense to get the CISSP first as it can be used to satisfy a prerequisite for applying for the CISM after you pass the test.

coffeeisgood

I studied harder for the CISSP but then snowballed the CISA & the CISM all within 6 months
there is some overlap
that said, I thought the CISSP actual test was harder
with the CISA / CISM you MUST use ISACA's official QAE database. Seriously

just read somewhere that CISM is valued more than the CISSP in actual $$$, whatever... i got all 3 so meh

best question i heard about to prepare for a future interview
The interviewer hands you a dry erase marker, directs you to a white board & asks you to white board something your passionate about
(anything! its that open ended) Not only would I prepare myself for that question/activity, the next time I interview someone, I am going to use that!