CISM or CISSP? Not able to decide? We will help you....


Let us first see the course content of each of the certifications....

Certified Information Security Manager

Certified Information System Security Professional

  • Information Security Governance
  • Information Risk Management
  • Information Security Program Management and Development
  • Information Security Incident Management
The exam contains 150 multiple choice (4 options) to be answered in 4 hours. There are no negative marks for wrong answers. ISACA converts the correct answers to a scaled score from 200 to 800. To pass a candidate should score a minimum of 450. 

You also need a minimum of 5 years of information security related experience that should have been obtained 10 years prior or 5 years after passing the exam. Cumulative experience is accepted. Waivers are considered for a maximum of 2 years.You can visit ISACA official site for waiver details
  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security
In the CISSP CAT format, the student will view a minumum of 100 qustions and a maximum of 150 whith a three hour time limit. Of the first 100 questions, only 75 are graded and count towards your score. The 25 ungraded questions are not marked and are interspread throughout the questions.
You get one chance to view a question and provide an answer. You cannot revisit previous questions. Alhough it is not stated, a skipped question is likely marked as incorrect. Therefore, guessing is still a better strategy than skipping. You should always attempt to eliminate question options from consideration, then select your answer from the remaining options.

CISM or CISSP which is better for you?

If you are in information security or planning to move into information security with 0 to 4 years of experience, the better choice would be to do CISSP. It is not uncommon to see both the certifications are being pursued. Long term goals also plays a factor here. If you want your career progression towards CISO or more governance role, CISM would be an ideal certification. 

If you are planning your career as an infosec engineer, then CISSP would be enough. The better strategy however would be starting with CISSP and then move towards CISM. This way you have both hands on infosec experience and managerial traits to become a CISO.