CISSP vs. CISM (which exam is tougher?)

Hey folks, I was wondering if anyone perusing the CISSP and SSCP forum has taken the CISM exam. If so, my real question is around how it compares to the CISSP. Not the typical "CISM is management only and CISSP is are more technical and all inclusive security cert" answer. I get that CISM is more around risk and management. I'm more curious around the level of PAIN the actual exam is to prepare for and succeed in passing. I get mixed feelings with all of the research I'm doing. It basically breaks down as follows: 50% of the people - They're both really hard so choose which fits your role 50% of the people - CISSP is Advanced and CISM is Intermediate (difficulty level) I was just hoping to get some input from anyone that may have sat both exams.

Find more posts tagged with

Comments

beads

Depends on your mindset. Some people find ISACA exams to be even more fussy if not infuriating than ISC(2) exams. My take on it (No, I don't bother to update any more - too many) is that they are both about the same but for differing reasons. ISC was challenging back in the day but there is so much material now that it should be considered impossible to fail without trying hard. ISACA's material is harder to test on because of the lack of reliable material available except of course from ISACA themselves.

I found both to be annoying but for different reasons.

YMMV

- b/eads

Mike7

Depends on your working experience. I took CISSP first followed by CISM about 2 months later in 2015. CISM is around ISMS and IRM and you need to understand "the ISACA way", which basically means "management decides". The CRM (CISM Review Manual) is concise but makes for dry reading. Both CISSP and CISM exam test you on your application of concepts, I find CISM questions less straight-forward and require a bit more in-depth thinking. If you plan to do it, go for the online QAE (Questions, Answers & Explanations) and read through the explanations until you understand why an option is wrong or right. It took me a while to understand the "ISACA way", from an initial 50% QAE score to top 5% CISM exam score result 2 months later. You can try the questions at CISM Self-Assessment Exam to get a feel.

TXCISSP

Thanks for the input guys. I'll go check out the self-assessment exam.

rwmidl

I thought the CISSP was harder than the CISM. I did the CISSP about 5-6 years ago (when it was still paper), and I guess the sheer magnitude of the material was a bit overwhelming. The CISM which I did almost a year ago, I was pretty confident I passed when I left the exam center. As others have said, the ISACA material is D R Y! Go with the online database. I think in the end, while they are both frustrating for their own reasons, they also compliment each other.

coffeeisgood

rwmidl wrote: »

ISACA material is D R Y! Go with the online database.

I will second this. You MUST use their Q/A database. I used a printed one for the CISA but the online one for the CISM. Use the online one!

CISSP was harder but I enjoyed studying for it so much more. After the CISSP my mind seriously was spinning after 5 1/2 hours.
ISACA exams are a bit strange. The ISACA way is a real thing that you have to change your mindset to their way of thinking in to pass!

passed exams all last year

CISSP - May
CISA - Sept
CISM - Dec (passed test, waiting on application approval)

not sure if I will do another ISACA exam although they did finally goto CBT... meh

TXCISSP

Thanks for the input everyone! Good stuff.

renolds

Good info. I had studied for the CISSP and was about to sit for it when I found out that it requires you provide a whole heap of PII to the testing centre who would then pass that information to ISC2 in the US. Having to provide a palm vein scan was going too far.I decided against having so much identity information be gathered simply for sitting a test. I'm starting to study for the CISM instead. Based on the website it doesn't collect so much information.

Info_Sec_Wannabe

renolds wrote: »

I had studied for the CISSP and was about to sit for it when I found out that it requires you provide a whole heap of PII to the testing centre who would then pass that information to ISC2 in the US. Having to provide a palm vein scan was going too far.I decided against having so much identity information be gathered simply for sitting a test.

When I sat for the exam, the scanner at the testing center (luckily) was broken. However, this caused a delay and we had to wait for an additional 30 minutes or so before we were allowed to take it.

Out of curiosity, have you tried calling the ISC2 office nearest you to ask if you can waive some of the information being asked?

LordQarlyn

I found the CISSP exam quite challenging for me personally. Since CISM is on my list, it sends shivers down my spine that it's even harder than the CISSP lol.

paul78

LordQarlyn wrote: »

I found the CISSP exam quite challenging for me personally. Since CISM is on my list, it sends shivers down my spine that it's even harder than the CISSP lol.

I think it largely depends on your background and experience as to which you will find harder. I personally found the CISM to be harder. A lot of it has to do with the fact that I find the CISM material to be laborious and boring and I ended up mostly skimming through the ISACA material so I was probably less prepared for it.

I believe that both ISC2 and ISACA exams are now CBT based too. When I took these exams, it was paper and pencil and the other odd reason why I found the CISM harder was that there was less time to circle in those dots with a number 2 pencil.

kaiju

I think ISACA test like CISM get a slight edge on being easier because the QA&E database allows you to gauge your progress.

Info_Sec_Wannabe

CISSP was harder for me as I found the questions more tricky as compared to CISM.

LordQarlyn

paul78 wrote: »

I think it largely depends on your background and experience as to which you will find harder. I personally found the CISM to be harder. A lot of it has to do with the fact that I find the CISM material to be laborious and boring and I ended up mostly skimming through the ISACA material so I was probably less prepared for it.

I believe that both ISC2 and ISACA exams are now CBT based too. When I took these exams, it was paper and pencil and the other odd reason why I found the CISM harder was that there was less time to circle in those dots with a number 2 pencil.

Well, that could give me a slight edge on the CISM then, since I've heard CISM is more managerial type questions and that is my current role. Yeah they are both CBT now, which I'm happy because it would drive me crazy waiting for the results. I've known guys who took the paper tests and watched how they were so anxious waiting lol.

cledford3

renolds wrote: »

Good info. I had studied for the CISSP and was about to sit for it when I found out that it requires you provide a whole heap of PII to the testing centre who would then pass that information to ISC2 in the US. Having to provide a palm vein scan was going too far.I decided against having so much identity information be gathered simply for sitting a test. I'm starting to study for the CISM instead. Based on the website it doesn't collect so much information.

I find this to be highly ironic and am shocked that an organization that provides certs *only* related to security & privacy would collect such PII.

LordQarlyn

The palm scan that has got many so freaked out is simply to authenticate test takers during the exam. Talking to my subordinates from Africa and India, it was not at all uncommon for a candidate to get a friend or hire someone to swap out during a break to take the exam for them. These people would go through great lengths to appear identical, dressing in the exact same clothes, making sure both had same hairstyles and facial hair going as far as to both shaving their heads, matching up with those of closely similar builds. The palm scan is a cheap and quick way to verify you are still you and not some proxy test taker.

What I find ironic is the people complaining about ISC2 collecting information, thereby verifying identities, especially for security related certifications, don't seem to realize one, both ISACA and ISC2 collect even more information when vetting experience, and two, in many security jobs you are often required to submit even more personal data, and all jobs requiring a clearance, you have to supply very intrusive information about yourself to get the clearance.

Finally, why would anyone value a certification from an agency or test center that makes no effort to verify identities? You couldn't trust a single thing about that certification.

paul78

LordQarlyn wrote: »

... Finally, why would anyone value a certification from an agency or test center that makes no effort to verify identities? You couldn't trust a single thing about that certification.

+1 - well put.

cyberguypr

Came here to say what LordQarlyn said. Thanks for saving me time!

roxer

Totally agree with what @beads said - it's based on your mindset. CISM is totally a managerial cert that looks at business risk to make decisions (what is the cost to the company?). CISSP has a bigger technical component and is semi-managerial. They both deal in risk (as in security=risk), but generally in different ways. So, if you go into the CISM test with a technical mindset, you will fail. Some say that is true of the CISSP, but I disagree. I found both process based, but CISSP had much greater technical content than CISM. YMMV.

LordQarlyn

cyberguypr wrote: »

Came here to say what LordQarlyn said. Thanks for saving me time!

LOL well I hope I am amusing you a little bit

renolds

Yes. I contacted them. This was their response:

" Thank you for contacting us. I have heard back from HQ and it is not possible to waive the palm vein scan unless you can provide a medical/religious reason I’m afraid. (ISC)² requires a signature, two forms of photo identification, palm vein scan, and a photograph in order to sit for our exams. This is to properly verify the identity of our exam takers and ensure the security and integrity of the testing environment. Thus, these requirements are necessary in order for an individual to sit for the exam."

I thought GDPR was supposed to allow the control of PII data across the borders (from UK to US) and to opt out if you did not want it. Personally providing that much PII information to one company is too risky for me. I have no idea who else they will be providing that information once it goes to the US. Also don't know how palm vein scanning will progress in the future and what else it may be used for.

LordQarlyn

renolds wrote: »

Yes. I contacted them. This was their response:

" Thank you for contacting us. I have heard back from HQ and it is not possible to waive the palm vein scan unless you can provide a medical/religious reason I’m afraid. (ISC)² requires a signature, two forms of photo identification, palm vein scan, and a photograph in order to sit for our exams. This is to properly verify the identity of our exam takers and ensure the security and integrity of the testing environment. Thus, these requirements are necessary in order for an individual to sit for the exam."

I thought GDPR was supposed to allow the control of PII data across the borders (from UK to US) and to opt out if you did not want it. Personally providing that much PII information to one company is too risky for me. I have no idea who else they will be providing that information once it goes to the US. Also don't know how palm vein scanning will progress in the future and what else it may be used for.

GDPR doesn't quite work like that. The regulation does require that the collecting organization explain what they need to collect, what they will use it for, and who they will share it with. "Opting out", that is by not consenting to the collection or use or or sharing of your personal data does not mean a business or organization still has to provide the service. This is no different than if you wanted to purchase life insurance, but refused to provide some of all of the info they requested. You can always refuse to do so, but you can't force the insurance company to provide you the coverage, GDPR does not allow for that.

BAILEYPC

The actual truth is, the whole cert industry is a racket! It's the same as saying because a hair dresser doesn't have a license they can't cut hair!? Freaking idiotic! IT isn't rocket science. Specialized areas exist and that's debatable too whether they need any formal education - training yes but we aren't performing brain surgery. Certs are just another gov reg imposed money laundering scheme, period!

cyberguypr

MrsWilliams

BAILEYPC said:

The actual truth is, the whole cert industry is a racket! It's the same as saying because a hair dresser doesn't have a license they can't cut hair!? Freaking idiotic! IT isn't rocket science. Specially areas exist and that's debatable too whether they need any formal education - training yes but we aren't performing brain surgery. Certs are just another gov reg imposed money laundering scheme, period!

You know, funny enough I was watching a YouTube video today about how software developers don't need certifications. Some of them are making more money that other staff in other parts of the Information Technology sector. The young lady and gentleman earlier were talking about how they took coding bootcamps. I watched so many videos, I think I linked the right ones. I am like 90% sure.

I will repeat, it's people who took coding boot camps and are making great money with no formal education or certification.

So, I am not going to say I agree 100% with you. But, you have a valid point somewhere in your paragraph. I will say that some areas of the Information Technology Field could care less about a certification or a degree. We can both agree on that one point.

https://www.youtube.com/watch?v=ZVPYjh_yMqE&t=474s

https://www.youtube.com/watch?v=SuS1gmsF6rI&t=1230s

BAILEYPC

Been in the industry for 25+ yrs now... Got an A+ and security+ in the late 90s, and never wasted my time or money again. I use YouTube, Udemy sometimes and other sources to learn what I want but it's via time and experience I gained my skills, knowledge and experience to qualify myself.

Self taught more than 5 coding languages, whitehat hacking, data analytics and have been a network engineer most of those years. I've moved thru industries so fast I didn't have time for formal EDU. That's the reality.

The best programmers I know barely finished high-school and make more money today than the average college grad.

This industry evolves to fast you have to be on your toes, eager and ready to shift. There are the staple jobs like techs and networking but I have watched those roles salaries drop by half over 20yrs or basically stay stagnant because they've become so easy to do. Learn databases, data analytics, IoT and then do it. We have about 10yrs to make money in this category before AI replaces us 😉

Learn Python, R and AI Analytics in the meantime so you can endure a full life time career path before something else takes over and replaces that 😊

Want the big bucks? Get a masters in Math and then name your price 👍 That's the ONLY money I would spend on a formal education.

bigdogz

I agree @BAILEYPC but there are some industries that want the education (B.S.) and will not talk to you otherwise. It's reality.

BAILEYPC

But they are not the majority and they don't have a lock on said "whole" industry.
Example: I went for an interview in Silicon Valley. The CEO personally told me - "most companies in this valley will not hire based on certs. Not just that, they frown on it". Company un-named, it was a very large tech company in the cellular 'industry'.

Everyone has to decide for themselves but I am trying to make ppl think before they decide.

TEXIPSEC

Nothing in the world beats experience. Certs are great, degrees are fine, but at the end of the day, book smarts will only get you so far.

Tribal knowledge is very, very, valuable.

TXCISSP

TEXIPSEC said:

Nothing in the world beats experience. Certs are great, degrees are fine, but at the end of the day, book smarts will only get you so far.

Tribal knowledge is very, very, valuable.

Truf!

bigdogz

< performing tribal dance of getting the certs and degree to get in.... then the tribal knowledge is the key to the inner circle> ... LOL