CISSP vs CISM, CISA and CRISC

If you’re interested in pursuing a career in cybersecurity, then you’ve made a great choice! Skilled information security professionals are in high demand and are likely to remain so in the future, so the field offers solid financial benefits. According to the 2018 IT Skills and Salary Report from Global Knowledge, 41 percent of employers in the U.S. report that finding qualified cybersecurity professionals is one of their top challenges, and certified individuals earn an average of 22 percent more than their non-certified counterparts.

There are two clear, globally recognized leaders in cybersecurity certification: ISACA and (ISC)². (ISC)²’s pinnacle certification is the Certified Information Systems Security Professional (CISSP), while ISACA offers three security-related certifications: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) and Certified in Risk and Information Systems Control (CRISC).

All of these certifications target professionals with at least five years of professional work experience, all of them require ongoing training to maintain the credential, and all of them command similar respect and salaries. So, which ones will have the most value for you? To help you decide, let’s take a close look at each of them.

(ISC)2: Certified Information Systems Security Professional (CISSP)

Quick Facts

Founded in 1989, (ISC)²is one of the world’s largest IT security and cybersecurity membership organizations. It provides its members and the industry with security standardizations, education and certifications. Launched in 1994, the CISSP was the first credential offered by (ISC)², today, it is the pinnacle credential in the (ISC)² certification program. There are over 140,000 CISSP certified security professionals worldwide. The credential is consistently sought after by employers; an informal job search on SimplyHired turned up almost 9,700 job postings that requested CISSP, compared to 4,511 for CISA and 3,004 for CISM.

The CISSP credential targets security professionals across a broad spectrum of roles, including mangers, practitioners and executives. CISSPs possess the skills necessary to design, architect, implement, control and maintain cybersecurity programs for their organization. Typical roles include CIO, CISO, security director, security architect, network architect, IT director, IT manager, security analyst, auditor, consultant, and systems engineer.

In addition to the base CISSP credential, the CISSP is available in three additional concentrations:

Information Systems Security Architecture Professional (CISSP-ISSAP)
Information Systems Security Engineering Professional (CISSP-ISSEP)
Information Systems Security Management Professional (CISSP-ISSMP)

Earning the Credential

Earning the CISSP is not easy. Qualified candidates must:

Have at least five years of paid work experience in at least two of the eight CISSP Common Body of Knowledge (CBK) domains (listed below)
Pass the CISSP exam ($699)
Agree to the (ISC)² Code of Ethics
Be endorsed by an (ISC)² professional within nine months of passing the exam

The current CISSP CBK domain are:

Security and Risk Management
Asset Security
Security Architecture and Engineering
Communication and Network Security
Identity and Access Management (IAM)
Security Assessment and Testing
Security Operations
Software Development Security

Determined to pass the CISSP exam? Netwrix blog has something special for you. Here are seven great tips from a CISSP-certified pro for how to pass CISSP exam on your first attempt. Also, check out these handy study guides and training materials for CISSP certification. And finally, assess your readiness with the help of our CISSP practice exam.

Maintaining the Credential

The CISSP is valid for three years. An annual fee of $85 is required. To recertify, CISSPs must either take the current exam or earn 120 continuing professional education (CPE) credits (a minimum of 40 credits must be earned each year). Learn more about the CISSP exam changes effective April 2018.

Benefits

In the 2017 (ISC)² Global Information Security Workforce Study, respondents holding the CISSP certification reported an average annual salary of $120,000. SimplyHired reports average earnings as $66,078, with salaries topping out at $127,071. The 2018 Global Knowledge report pegs the average U.S. salary at $109,965, placing the CISSP in the number one spot among cybersecurity credentials.

ISACA Certifications

Quick Facts

Founded in 1969, the Information Systems Audit and Control Association (ISACA) is a globally recognized and highly respected organization with over 140,000 members in 180 countries. ISACA offers four credentials aimed at different IT pros:

Certified Information Systems Auditor (CISA) — Auditors
Certified Information Security Manager (CISM) — Security managers
Certified in Risk and Information Systems Control (CRISC) — Risk management professionals
Certified in the Governance of Enterprise IT (CGEIT) — Governance professionals

Here we will focus on the first three of these credentials; enterprise governance is beyond our scope.

Earning the Credential

All candidates must

Meet the stringent experience requirements detailed below
Pass the associated exam ($575 for ISACA members; $760 for non-members); exams are offered only three times a year, so candidates should apply well in advance
Agree to the Code of Professional Ethics and Continuing Professional Education Program
Meet additional requirements as detailed below

Maintaining the Credential

ISACA credentials are valid for three years. An annual maintenance fee ($45 for ISACA members, $85 for non-members) is also required. To renew, credential holders must earn 120 CPE credits, with at least 20 CPEs earned annually.

CISM

A good way to understand CISM is to compare it CISSP. Although both certifications cover cybersecurity and managerial concepts, CISSP focuses on the operational side of security and its technical aspects, while CISM is designed around the strategic side of security and its relations to business goals.

Specifically, CISM is designed for information security managers, targeting individuals who assess, design, manage and oversee information security environments on an enterprise level. Candidates should also possess a thorough understanding of available technologies and how to implement them in their organization. The CISM certification validates a candidate’s skill and knowledge across four domains:

Domain 1: Information Security Governance
Domain 2: Information Risk Management
Domain 3: Information Security Program Development and Management
Domain 4: Information Security Incident Management

According to ISACA, there are more than 32,000 CISM credential holders worldwide with over 7,500 working as security directors or managers and another 3,500 working as IT directors or managers. Other common CISM roles include IS/IT consultants, CIO, risk management professionals, and enterprise leadership roles.

To take the CISM exam, candidates possess a minimum of five years of experience working in information security, three of which must be in at least three of the listed domains. All experience must be obtained within the preceding 10-year period to qualify. Exam scores are voided if the experience requirement is not met within five years of passing the exam. Some substitutions are allowed to meet the experience requirement depending on other certification held and education.

Global Knowledge reported CISM certified professionals in the US earn an average of $105,926 annually, which puts it in the number six slot globally in terms of certification earning potential.

CISA

The CISA credential targets IT professionals working in governance and audit-related roles. Typically, CISA professionals hold roles such as IS or IT auditor or audit manager, non-IT auditor, and consultant. You’ll also find many CISA professionals engaged in governance, assurance, security, audit control and enterprise leadership roles.

The CISA certification validates a candidate’s knowledge and ability to assess, control, audit, and perform ongoing monitoring of an enterprises IT business systems. Required skills are reflected in the five CISA job practice domains:

Domain 1: The Process of Auditing Information Systems
Domain 2: Governance and Management of IT
Domain 3: Information Systems Acquisition, Development and Implementation
Domain 4: Information Systems Operations, Maintenance and Service Management
Domain 5: Protection and Information Assets

To earn the credential, candidates need to possess a minimum of five years of professional work experience auditing, controlling or securing information systems (some substitutions may be allowed for education) and pass the CISA exam. The CISA study process may include attending CISA review classes, enrolling in an online course, or using software, review manuals and study guides. After passing the exam, candidates must also comply with the Information Systems Auditing Standards.

According to the Global Knowledge report, CISA salaries rank number 13, with an average U.S. salary of $97,117.

CRISC

The CRISC credential specifically targets professionals who work with IT risk management at the enterprise level. Typical CRISC candidates include CIOs/CISOs, business analysts, project managers, as well as IT professionals engaged in risk management, control and assurance activities, and compliance.

The CRISC job domains are:

Domain 1: IT Risk Identification
Domain 2: IT Risk Assessment
Domain 3: Risk Response and Mitigation
Domain 4: Risk and Control Monitoring and Reporting

CRISC requirements include a minimum of three years of work experience in information security program management in two or more of the CRISC job domains, including either Domain 1 or 2. This experience must be obtained in the 10 years preceding the application or within five years of passing the exam.

In the Global Knowledge report, the CRISC certification was second only to the CISSP in terms of reported earnings with average US earnings reported at $107,968.

CISSP, CISM, CISA and CRISC at a Glance

	CISSP	CISM	CISA	CRISC
Focus	IT security and cybersecurity	Information security	Audit	Risk management
Typical roles	CIO CISO Security Director Security Architect Network Architect Security Manager Auditor Analyst Systems Engineer Consultant IT Director	InfoSec Manager CIO Enterprise Leadership Risk Manager	IT Auditor Consultant Security Professional Audit Manager Non-IT Auditor	CIO CISO Security Director Security Manager System Engineer Security Analyst Security Manager Security Auditor Network Architect Enterprise Leadership Control Professional Risk Professional Business Analyst Compliance Pro Control and Assurance Pro
Domains	Security and Risk Management Asset Security Security Architecture and Engineering Communication and Network Security Identity and Access Management (IAM) Security Assessment and Testing Security Operations Software Development Security	InfoSec Governance Risk Management Security Program Development and Management Security Incident Management	Process of Auditing Information Systems IT Governance and Management InfoSec Acquisition, Development and Implementation InfoSec Operations, Maintenance and Service Management InfoSec Operations, Maintenance, and Service Management Protection of Information Assets	IT Risk Identification Risk Assessment Risk Response and Mitigation Risk and Control Monitoring and Reporting
Experience	5 years	5 years	5 years	3 years
Number of exams	1	1	1	1
Exam fee	$699	$575/Member $760/Non-member	$575/Member $760/Non-member	$575/Member $760/Non-member
Annual fee	$85	$45 members; $85 non-members	$45 members; $85 non-members	$45 members; $85 non-members
Valid for	3 years	3 years	3 years	3 years
CPEs for recertification	120 total; at least 40 each year	120 total; at least 20 per year	120 total; at least 20 per year	120 total; at least 20 per year
Average salary *	$109,965	$105,926	$97,117	$107,968

*All salary information obtained from the 2018 IT Skills and Salary Report by Global Knowledge.

The Bottom Line

When choosing between pursuing an ISACA credential like CISA and a CISSP certification, keep the following in mind:

CISSP is a good choice for IT pros from many different disciplines and roles who are interested in pursuing a career in IT security or cybersecurity. It offers the highest average salary of all certifications in the 2018 Global Knowledge report.
CISM is not far behind CISSP in terms of average salary. While CISSP focuses on the operational side of security, CISM targets the strategic side of security and its relations to business goals.
The CRISC certification is second only to the CISSP in terms of reported earnings. It validates your ability to work with IT risk management at the enterprise level.
If your career goals are focused solely on audit-related roles, then the CISA may be the right credential for you.

Mary Kyle

Mary is a freelance writer, content developer, and project manager. She writes articles related to IT certifications, health, and develops content for courses.