CISM is about managing security, setting up a security program, risk management and managing incidents. CRISC is a deeper understanding of risk, risk reporting, risk monitoring, and continuous monitoring.
Note that the CISA and CISM, like the CISSP, are professional certs that one obtains after gaining years of InfoSec work experience. People tend to misjudge these certs as something to help them break into InfoSec-related auditing or management, but they are not.