Choosing the Right Security Certifications: CISSP vs CISM, CISA and CRISC

If you’re interested in pursuing a career in cybersecurity, then you’ve made a great choice! Skilled information security professionals are in high demand and are likely to remain so in the future, so the field offers solid financial benefits. According to the 2018 IT Skills and Salary Report from Global Knowledge, 41 percent of employers in the U.S. report that finding qualified cybersecurity professionals is one of their top challenges, and certified individuals earn an average of 22 percent more than their non-certified counterparts.

There are two clear, globally recognized leaders in cybersecurity certification: ISACA and (ISC)2. (ISC)2’s pinnacle certification is the Certified Information Systems Security Professional (CISSP), while ISACA offers three security-related certifications: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) and Certified in Risk and Information Systems Control (CRISC).

All of these certifications target professionals with at least five years of professional work experience, all of them require ongoing training to maintain the credential, and all of them command similar respect and salaries. So, which ones will have the most value for you? To help you decide, let’s take a close look at each of them.

(ISC)2: Certified Information Systems Security Professional (CISSP)

Quick Facts

Founded in 1989, (ISC)2 is one of the world’s largest IT security and cybersecurity membership organizations. It provides its members and the industry with security standardizations, education and certifications. Launched in 1994, the CISSP was the first credential offered by (ISC)2, today, it is the pinnacle credential in the (ISC)2 certification program. There are over 140,000 CISSP certified security professionals worldwide. The credential is consistently sought after by employers; an informal job search on SimplyHired turned up almost 9,700 job postings that requested CISSP, compared to 4,511 for CISA and 3,004 for CISM.

The CISSP credential targets security professionals across a broad spectrum of roles, including mangers, practitioners and executives. CISSPs possess the skills necessary to design, architect, implement, control and maintain cybersecurity programs for their organization. Typical roles include CIO, CISO, security director, security architect, network architect, IT director, IT manager, security analyst, auditor, consultant, and systems engineer.

In addition to the base CISSP credential, the CISSP is available in three additional concentrations:

  • Information Systems Security Architecture Professional (CISSP-ISSAP)
  • Information Systems Security Engineering Professional (CISSP-ISSEP)
  • Information Systems Security Management Professional (CISSP-ISSMP)

Earning the Credential

Earning the CISSP is not easy. Qualified candidates must:

  • Have at least five years of paid work experience in at least two of the eight CISSP Common Body of Knowledge (CBK) domains (listed below)
  • Pass the CISSP exam ($699)
  • Agree to the (ISC)2 Code of Ethics
  • Be endorsed by an (ISC)2 professional within nine months of passing the exam

The current CISSP CBK domain are:

  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management (IAM)
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

Determined to pass the CISSP exam? Netwrix blog has something special for you. Here are seven great tips from a CISSP-certified pro for how to pass CISSP exam on your first attempt. Also, check out these handy study guides and training materials for CISSP certification. And finally, assess your readiness with the help of our CISSP practice exam.

Maintaining the Credential

The CISSP is valid for three years. An annual fee of $85 is required. To recertify, CISSPs must either take the current exam or earn 120 continuing professional education (CPE) credits (a minimum of 40 credits must be earned each year). Learn more about the CISSP exam changes effective April 2018. 

Benefits

In the 2017 (ISC)2 Global Information Security Workforce Study, respondents holding the CISSP certification reported an average annual salary of $120,000. SimplyHired reports average earnings as $66,078, with salaries topping out at $127,071. The 2018 Global Knowledge report pegs the average U.S. salary at $109,965, placing the CISSP in the number one spot among cybersecurity credentials.

ISACA Certifications

Quick Facts

Founded in 1969, the Information Systems Audit and Control Association (ISACA) is a globally recognized and highly respected organization with over 140,000 members in 180 countries. ISACA offers four credentials aimed at different IT pros:

  • Certified Information Systems Auditor (CISA) — Auditors
  • Certified Information Security Manager (CISM) — Security managers
  • Certified in Risk and Information Systems Control (CRISC) — Risk management professionals
  • Certified in the Governance of Enterprise IT (CGEIT) — Governance professionals

Here we will focus on the first three of these credentials; enterprise governance is beyond our scope.

Earning the Credential

All candidates must

  • Meet the stringent experience requirements detailed below
  • Pass the associated exam ($575 for ISACA members; $760 for non-members); exams are offered only three times a year, so candidates should apply well in advance
  • Agree to the Code of Professional Ethics and Continuing Professional Education Program
  • Meet additional requirements as detailed below

Maintaining the Credential

ISACA credentials are valid for three years. An annual maintenance fee ($45 for ISACA members, $85 for non-members) is also required. To renew, credential holders must earn 120 CPE credits, with at least 20 CPEs earned annually.

  • CISM

A good way to understand CISM is to compare it CISSP. Although both certifications cover cybersecurity and managerial concepts, CISSP focuses on the operational side of security and its technical aspects, while CISM is designed around the strategic side of security and its relations to business goals.

Specifically, CISM is designed for information security managers, targeting individuals who assess, design, manage and oversee information security environments on an enterprise level. Candidates should also possess a thorough understanding of available technologies and how to implement them in their organization. The CISM certification validates a candidate’s skill and knowledge across four domains:

  • Domain 1: Information Security Governance
  • Domain 2: Information Risk Management
  • Domain 3: Information Security Program Development and Management
  • Domain 4: Information Security Incident Management

According to ISACA, there are more than 32,000 CISM credential holders worldwide with over 7,500 working as security directors or managers and another 3,500 working as IT directors or managers. Other common CISM roles include IS/IT consultants, CIO, risk management professionals, and enterprise leadership roles.

To take the CISM exam, candidates possess a minimum of five years of experience working in information security, three of which must be in at least three of the listed domains. All experience must be obtained within the preceding 10-year period to qualify. Exam scores are voided if the experience requirement is not met within five years of passing the exam. Some substitutions are allowed to meet the experience requirement depending on other certification held and education.

Global Knowledge reported CISM certified professionals in the US earn an average of $105,926 annually, which puts it in the number six slot globally in terms of certification earning potential.

  • CISA

The CISA credential targets IT professionals working in governance and audit-related roles. Typically, CISA professionals hold roles such as IS or IT auditor or audit manager, non-IT auditor, and consultant. You’ll also find many CISA professionals engaged in governance, assurance, security, audit control and enterprise leadership roles.

The CISA certification validates a candidate’s knowledge and ability to assess, control, audit, and perform ongoing monitoring of an enterprises IT business systems. Required skills are reflected in the five CISA job practice domains:

  • Domain 1: The Process of Auditing Information Systems
  • Domain 2: Governance and Management of IT
  • Domain 3: Information Systems Acquisition, Development and Implementation
  • Domain 4: Information Systems Operations, Maintenance and Service Management
  • Domain 5: Protection and Information Assets

To earn the credential, candidates need to possess a minimum of five years of professional work experience auditing, controlling or securing information systems (some substitutions may be allowed for education) and pass the CISA exam. The CISA study process may include attending CISA review classes, enrolling in an online course, or using software, review manuals and study guides. After passing the exam, candidates must also comply with the Information Systems Auditing Standards.

According to the Global Knowledge report, CISA salaries rank number 13, with an average U.S. salary of $97,117.

  • CRISC

The CRISC credential specifically targets professionals who work with IT risk management at the enterprise level. Typical CRISC candidates include CIOs/CISOs, business analysts, project managers, as well as IT professionals engaged in risk management, control and assurance activities, and compliance.

The CRISC job domains are:

  • Domain 1: IT Risk Identification
  • Domain 2: IT Risk Assessment
  • Domain 3: Risk Response and Mitigation
  • Domain 4: Risk and Control Monitoring and Reporting

CRISC requirements include a minimum of three years of work experience in information security program management in two or more of the CRISC job domains, including either Domain 1 or 2. This experience must be obtained in the 10 years preceding the application or within five years of passing the exam.

In the Global Knowledge report, the CRISC certification was second only to the CISSP in terms of reported earnings with average US earnings reported at $107,968.

CISSP, CISM, CISA and CRISC at a Glance

 CISSPCISMCISACRISC
FocusIT security and cybersecurityInformation security AuditRisk management
Typical rolesCIO
CISO
Security Director
Security Architect
Network Architect
Security Manager
Auditor
Analyst
Systems Engineer
Consultant
IT Director
InfoSec Manager
CIO
Enterprise Leadership
Risk Manager
IT Auditor
Consultant
Security Professional
Audit Manager
Non-IT Auditor
CIO
CISO
Security Director
Security Manager
System Engineer
Security Analyst
Security Manager
Security Auditor
Network Architect
Enterprise Leadership
Control Professional
Risk Professional
Business Analyst
Compliance Pro
Control and Assurance Pro
DomainsSecurity and Risk Management
Asset Security
Security Architecture and Engineering
Communication and Network Security
Identity and Access Management (IAM)
Security Assessment and Testing
Security Operations
Software Development Security
InfoSec Governance
Risk Management
Security Program Development and Management
Security Incident Management
Process of Auditing Information Systems
IT Governance and Management
InfoSec Acquisition, Development and Implementation
InfoSec Operations, Maintenance and Service Management
InfoSec Operations, Maintenance, and Service Management
Protection of Information Assets
IT Risk Identification
Risk Assessment
Risk Response and Mitigation
Risk and Control Monitoring and Reporting
Experience5 years 5 years 5 years 3 years
Number of exams1111
Exam fee$699$575/Member
$760/Non-member
$575/Member
$760/Non-member
$575/Member
$760/Non-member
Annual fee$85$45 members;
$85 non-members
$45 members;
$85 non-members
$45 members;
$85 non-members
Valid for3 years3 years3 years3 years
CPEs for recertification120 total; at least 40 each year120 total; at least 20 per year 120 total; at least 20 per year120 total; at least 20 per year
Average salary *$109,965$105,926$97,117$107,968

*All salary information obtained from the 2018 IT Skills and Salary Report by Global Knowledge.

The Bottom Line

When choosing between pursuing an ISACA credential like CISA and a CISSP certification, keep the following in mind:

  • CISSP is a good choice for IT pros from many different disciplines and roles who are interested in pursuing a career in IT security or cybersecurity. It offers the highest average salary of all certifications in the 2018 Global Knowledge report.
  • CISM is not far behind CISSP in terms of average salary. While CISSP focuses on the operational side of security, CISM targets the strategic side of security and its relations to business goals.
  • The CRISC certification is second only to the CISSP in terms of reported earnings. It validates your ability to work with IT risk management at the enterprise level.
  • If your career goals are focused solely on audit-related roles, then the CISA may be the right credential for you.

Which IT certification do you currently hold?

Loading ... Loading ...