Difference Between CISSP and CISM


CISSP and CISM are two of the most widely sought after certification programs for information security. Both CISSP and CISM intend to provide a common body of knowledge for information security professionals and managers around the world. Both CISSP and CISM are approved certifications for the Information Assurance Workforce Improvement Program.

What is CISSP?

CISSP (Certified Information Systems Security Professional) is a certification on information security, governed by independent and non-profit (ISC)2 (International Information Systems Security Certification Consortium). (ISC)2 was formed in 1988, by several organizations, which were brought together by the SIG-CS (Special Interest Group for Computer Security) of DPMA (Data Processing Management Association) with the intention of making a standardized information security certification program. More than 60,000 members from 134 countries have taken the CISSP certification as of July 2010. It is a certification that has the approval of DoD (Department of Defense) through their IAT (Information Assurance Technical) and IAM (Information Assurance Managerial) programs. CISSP is a mandatory requirement for the ISSEP program of U.S. NSA (National Security Agency).

Various Information Security subject matters are covered in CISSP. CISSP is based on what they call the Common Body of Knowledge (CBK). CBK is a common information security framework that can be used by information security professions around the world. Ten CBK domains are examined in CISSP such as Access control, Application Development Security, which are based on the CIA triad (Confidentiality, Integrity and Availability).

What is CISM?

CISM (Certified Information Security Manager) is a certification for the managers in the field of information security. ISACA (Information Systems Audit and Control Association) awards this certification. An individual who possesses at least 5 years of experience in information security (with minimum 3 years of managerial experience) must pass this examination to receive this certification. CISM certification intends to provide a common body of knowledge for information security managers around the world. Therefore, information risk management is the basis for this certification. Furthermore, broad topics such as govern information security, development and management of information security programs and incident management are covered. Main viewpoint of the certification is the information security management based on the needs of the businesses (based on industry best practices).

Typically, CISSP and CISA communities tend to seek after CISM certification. One reason for this that the CISM content is related to that of ISSMP (Information Systems Security Management Professional) program from (ISC)2. CISM became an approved certification for the Information Assurance Workforce Improvement Program in 2005. Five areas of information security examined by CISM are information security governance, Information risk management, Information security program development, information security program management and incident management.

What is the difference between CISSP and CISM?

Although, both CISSP and CISM certifications examine topics on information security, they have key differences. Unlike CISSP, CISM is focused towards the topics on information security management. Although, both CISSP and CISM require individuals to have at least 5 years of information security experience, CISM additionally require the individual to have a minimum of 3 years experience on information security management.