CISM vs CISSP

stoked64stoked64 Posts: 22Member ■□□□□□□□□□
Can anyone express thier personal opinion on the The Certified Information Security Manager (CISM) certification exam. I recently passed the CISSP exam and I'm trying to get some kind of comparison between the two.

Thanks in advance
Stoked64

Comments

  • Fugazi1000Fugazi1000 Posts: 145Member
    Some common themes.

    CISSP is a shallow level across a broad spectrum of technical InfoSec domains.

    CISM is more focussed on processes to manage risk in the InfoSec arena. CISA is similar but focusses on the audit aspect.

    CISSP is good to substantiate other technical skills/certs to show an employer that you are well versed in more than just a single vendor technology stack. CISM is for somebody aiming for, or in a management position (less hands on technically on a day to day basis).

    Having both can be useful. If you want techie only. CISSP + whatever. If you want an InfoSec management or Risk Management role, then CISM. If you like to check other people are doing their job.... CISA!

    IMHO.
  • laidbackfreaklaidbackfreak Posts: 991Member
    Fugazi1000 wrote: »
    Some common themes.

    CISSP is a shallow level across a broad spectrum of technical InfoSec domains.

    CISM is more focussed on processes to manage risk in the InfoSec arena. CISA is similar but focusses on the audit aspect.

    CISSP is good to substantiate other technical skills/certs to show an employer that you are well versed in more than just a single vendor technology stack. CISM is for somebody aiming for, or in a management position (less hands on technically on a day to day basis).

    Having both can be useful. If you want techie only. CISSP + whatever. If you want an InfoSec management or Risk Management role, then CISM. If you like to check other people are doing their job.... CISA!

    IMHO.

    cheers nice Interpretation icon_smile.gif
    if I say something that can be taken one of two ways and one of them offends, I usually mean the other one :-)
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,287Admin Admin
    Note that the CISA and CISM, like the CISSP, are professional certs that one obtains after gaining years of InfoSec work experience. People tend to misjudge these certs as something to help them break into InfoSec-related auditing or management, but they are not.
  • PraksPraks Posts: 2Member ■□□□□□□□□□
    JDMurray wrote: »
    Note that the CISA and CISM, like the CISSP, are professional certs that one obtains after gaining years of InfoSec work experience. People tend to misjudge these certs as something to help them break into InfoSec-related auditing or management, but they are not.

    What kind of experience is required for CISM ? Do you need to be manager for 5 years ?

    Please explain.
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,287Admin Admin
    Refer to the Work Experience section in Requirements for CISM Certification.


  • Hyper-MeHyper-Me Posts: 2,059Banned
    Who decides if your work qualifies?

    I mean as a sys admin I constantly impliment security features/solutions like SSL certificates, managing AD which uses Kerberos, VPN dual factor authentication using a hardware token, etc.

    Does that qualify as security work?
    I got a fortune cookie that said "Outlook not so good" and I thought to myself "Yeah...but Microsoft sells it anyway."
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,287Admin Admin
    CISM is an ISACA certification, so ISACA decides.
  • teancum144teancum144 Posts: 229Member ■■■□□□□□□□
    Sitting through a CISM review course confirmed my decision to pursue the CISSP. The CISM is definitely not a roll up your sleeves and dig into IT. It is a very fuzzy, risk and controls type certification. Having the CISA from ISACA (the same organization that sponsors the CISM), I'm not overly impressed. The CISSP covers risks and controls quite well. The AIO CISSP book discusses COBIT and provides context for it among all the relevant frameworks. I have a hard time understanding why anyone would prefer the CISM over the CISSP -- unless they are trying to avoid getting too techy. Regarding the management angle, perhaps there is a perception that it better prepares you for management, but IMO that perception doesn't reflect reality. Then again, if that perception is widely held by hiring managers, there may be a benefit, but that is the only benefit I see. From a pure knowledge perspective (from what you study), I believe the CISSP provides more value.
    If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post. :D
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,287Admin Admin
    The CISM is specifically for InfoSec managers, while the CISSP is targeted to a much wider variety of InfoSec professionals. I consider the CISSP/CISA/CISM to be complementary to each other rather than exclusive.
  • mikeysgmikeysg Posts: 41Member ■■□□□□□□□□
    JDMurray wrote: »
    The CISM is specifically for InfoSec managers, while the CISSP is targeted to a much wider variety of InfoSec professionals. I consider the CISSP/CISA/CISM to be complementary to each other rather than exclusive.

    I second that! icon_cool.gif
  • Grief_IndoorGrief_Indoor Posts: 2Registered Users ■□□□□□□□□□
    how is CISM different from CRISC though? i just passed CISA and i'm considering either CISM, CRISC, CISSP, or CIA. thanks for any input!
  • wikigetwikiget Posts: 75Member ■■□□□□□□□□
    how is CISM different from CRISC though? i just passed CISA and i'm considering either CISM, CRISC, CISSP, or CIA. thanks for any input!

    CISM is about managing security, setting up a security program, risk management and managing incidents.

    CRISC is a deeper understanding of risk, risk reporting, risk monitoring, and continuous monitoring.
    "Once upon a time, disks were floppy, administrators were electricians and computers were louder then jets. Then it all got complicated." -Anon

    Life of a Network Security Manager: http://imgur.com/kKvmgjj
  • ameetngameetng Posts: 1Registered Users ■□□□□□□□□□
    Which exam to take first? CISM or CISSP?
  • dustervoicedustervoice Posts: 876Member ■■■□□□□□□□
    ameetng wrote: »
    Which exam to take first? CISM or CISSP?


    doesnt matter take anyone you feel comfortable doing first. one is not a continuation of the other! Its like looking at a red and a blue bicycle asking which one should you ride first.
  • SirkassadSirkassad Posts: 32Member ■■□□□□□□□□
    If you are eventually looking to get both CISSP and CISM it makes much more sense to get the CISSP first as it can be used to satisfy a prerequisite for applying for the CISM after you pass the test.
  • coffeeisgoodcoffeeisgood CISSP, CISA, CISM CISSP, CISA, CISMPosts: 136Member ■■■□□□□□□□
    I studied harder for the CISSP but then snowballed the CISA & the CISM all within 6 months
    there is some overlap
    that said, I thought the CISSP actual test was harder
    with the CISA / CISM you MUST use ISACA's official QAE database. Seriously

    just read somewhere that CISM is valued more than the CISSP in actual $$$, whatever... i got all 3 so meh

    best question i heard about to prepare for a future interview
    The interviewer hands you a dry erase marker, directs you to a white board & asks you to white board something your passionate about
    (anything! its that open ended) Not only would I prepare myself for that question/activity, the next time I interview someone, I am going to use that!
Sign In or Register to comment.