CISSP vs CISM – Why I am doing this?

Do you know more than 850 people search for this exact term of CISSP vs CISM every month?
That’s over 10,000 people every year… Facing this same issue, trying to decide the next step of their life.

This is a very big question for anyone looking for better opportunities and If you are reading this CISSP vs CISM blog post, I can understand where you are coming from.

  • Maybe you just want to start your career
  • Maybe you are trying to change your job
  • Maybe you are just getting bored and want a promotion
  • Maybe you already have one of these and looking for more

There are so many MAYBE here but don’t worry. I have done my homework and this post will satisfy you in full.

P.S. In any case you are not satisfied with it, Just let me know and I will personally take you on a phone call and help you to decide your career for Free.

The Email I Sent…

If you are a regular reader, You will know by now that if I write something, I do my due diligence first. I do my homework and this Sunday On 3rd May 2020, I sent and email to my whole list of over 50K People who are working in this industry asking the same question and their views.

A lot of them replied with detailed responses, It was very hard to read all of them and select specific responses. But that’s what I love to do!!!

I spent over a full day reading those awesome emails and I selected few for you… In this whole post, I will keep including these people’s responses.

Before we start…. Let’s me complete my due care and give a disclaimer… lol

Disclaimer: All the comments made by me and mentioned people are their personal opinions and no one is professionally commenting and giving you career guidance here. You will not have any authority to question and put any claim on any party related to this post in any way for their comments.

Let’s Dive In!!!


 The Core Differences Between CISSP vs CISM

If you want a short explanation, CISSP is more TECHNICAL and OPERATIONAL whereas CISM is more focused on GRC hence becomes more EXECUTIVE and MANAGERIAL.

Haha, Didn’t liked that… Isn’t it?
hat’s why I am going to write a long post now. That’s where all fun lies. To understand the concept in deep. To take the right decision. After all… Spending 10 minutes here will be the most valuable 10 minutes you would ever spend on internet!

I would like to start with my various students comments

in my opinion both are completing each other ,CISSP has much more technical syllabus and it is good in fixing process and reduce risk, where CISM is is about people who build security program and align it with business goal .both certs are awards winners and dumps does not work with them!. CISSP exam is more difficult than CISM as it has much more subjects and you need to score 70 in all 8 domains. 

– Ali Mustafa, ISACA Baghdad Chapter President

as you can see, Ali started by saying, they both complement each other. both are award winning certifications and dumps don’t work on either. hmmm…. From the day CISM became an online proctored exam, I would not agree to that last line of him about dumps. but Yes, they both are prestigious.

“I think people hold CISSP in higher esteem than CISM. CISM just helps to get managerial roles in companies  But CISSP take you higher to the CISO  level and beyond”

– Alfred Atsunyo, Confidential

Ok so Alfred talks about the value… CISSP is better.. you want to be a CISO.. CISSP is your best shot.

“I think they are similar.. CISSP is definitely well publicized and most people in America know about CISSP. According to Cyberseek, CISSP has more openings than any other certification so the standards are high.

 That notwithstanding, CISM also has some relevance. The domains are geared towards more management than engineering.“

– Edmond Sarpong, US Navy

Here you so something interesting that CISSP has more job opportunities and it is more recognized.

“Both are very good certificates. 

  • CISSP  is technical and operational and is geared towards practitioners. There are more CISSP jobs. Many Infosec management jobs do require CISSP
  • CISM is geared more for security managers/directors. People get a CISM usually after a CISSP. Also requires management experience.

If the long term goal is being a CISO, then CISSP > CISM > CCISO is a good path.”
Jacob Vurusgese, BAE Systems Inc.

Here you go, Jacob hit it straight on the point. CISSP is technical and operational. Because you see, CISSP domains include everything from Networking and Security Operations to Cryptography and Incident Management whereas CISM is more on an Executive and Managerial side focusing on GRC and Program Management.

“I strongly believe that they are both complementary. My personal view is that CISSP is standing alone, it covers eight modules while CISM is four modules. CISA + CISM = CISSP,  CISM is focused more on management of enterprise IT and it Managers focused while CISSP is very wide but not very deep. It is concepts driven and analytic, so it’s complimentary. CISSP is recommended for Security Analysts and Engineers.”

Pastor Nicholas, Zensar Technologies

Though I don’t really agree with Pastor Nicholas here on CISA + CISM = CISSP theory here, However he is correct that CISSP is very more deep and has a wider scope.

I will talk on this more in few minutes.


A Quick Interview With Marco Essobma

After being so obsessed with this topic, I even reached out to my friend Marco Essomba to do a small interview and ask few questions.

For those who don’t know who Marco is… Start Being In Industry!
He is the Founder of the famous BLOCKAPT platform leading the SOAR technology space…  An Authority in information security whose expert advice is frequently listed in top magazines and publications including Forbes, ComputerWeekly, Teiss, SCMagazine.

I have been working with Marco for more than a year now and he is so generous that I sent a message and he was on this interview next minute.  Here are two questions which I want to bring out.

Question. Which One Should You Do If You Can Only Do CISSP or CISM?
CISSP, because it is much more widely known and also the curriculum of CISSP is well documented & understood. For that reason in terms of ‘perceived’ value it is better…

Question. Should You Do CISM After CISSP?
Absolutely, CISM is well recognized for senior infosec management level roles, so having both CISSP & CISM a higher depth & broad understanding of InfoSec, and also shows that the CISM understanding & can communicate with higher InfoSec stakeholders. CISSP will give you a better immediate boost to get started. Then another bigger boost with CISM for higher level careers

To back Marco, I asked the same question from my friend Wentz Wu and here is his response…

“I highly recommend CISSPs to get CISM. CISM solely focuses on information security governance. It is equivalent to CISSP-ISSMP– Wentz Wu, Founder of Effective CISSP


So, Which One Should You? – My Expert Opinion

It is absolutely clear that CISM gives you the best advantages if you use it as a Leverage on top of your CISSP.. CISM would be an advantage if you are looking for a CISO or Head of Security kind of positions.

CISSP will act as a base for you giving you Inch Deep Knowledge on every topic you can think of and CISM will give you a clear Governance and Stakeholder Management Skillset.

I must write that there are many people who already have achieved CISM and now they might be thinking about getting a CISSP. In this situation, My simple answer will be to actually look at your current position, the requirements of your organization, consider your personal goals, and your core focus.

A CISM may not choose to go with CISSP and rather decide to go into certifications like PMP and ITIL and get a better understanding and capabilities of CIO.


Which One Is Easier? – The Learning Curve

Some people will argue this fact that CISSP is harder than CISM however I strongly believe in it. It’s just because of the amount of knowledge you need and number of terms you need to memorize in CISSP as compared to CISM.

“CISSP is tough enough to pass and course content is used everywhere..If someone passed CISSP for him CISM is not difficult he or she will easily within 15 to 1 month pass CISM” Lingaraj Nahak, Vodafone India.

CISM has a limited but focused scope

  • Security Governance
  • Risk Management and Compliance
  • Security Program Development
  • Security Program Management
  • Incident Management

Whereas CISSP literally covers everything

  • Risk Management
  • Asset Security Management
  • Security Engineering
  • Networking
  • IAM
  • Penetration Testing and Security Assessment
  • Managing Security Operations
  • Security Related To SDLC

As you can clearly see, CISSP basically asks you EVERYTHING whereas CISM is only asking you specifically GRC and Program Management skills. There is just nothing Technical in this. 

People say CISSP is managerial…. Not at all. CISSP is a very technical subject as well..

Salary Insights on CISM vs CISSP – Real Numbers!

Before I even mention these numbers, It is important to understand the context of this.

  • I am not talking about any AVERAGE SALARY, I am talking about Top Salaries of people Who I personally know and till now you should already have got an idea that I fairly know a lot, no seriously.. A lot of people.
  • I am not going to reveal their identity due to NDA however will give you basic insights which should be enough for you to take the decision.

For a CISSP, You will find a big mix of salary structures. The highest packages earned by people I personally know are as follows. 

  • India – $76K with an experience of 18+ years. 
  • UK – $132K + LUXURIOUS PERKS as a CXO with an experience of 15+ years.
  • US – $110K at an Executive Position with experience of 15+ years

For a CISM, You will find that people don’t really have that good salary structure. Those who have top numbers in salary, already have CISSP to back this CISM. Since I am only giving you numbers for people who are ONLY CISM and not CISSP, This is the list.

  • India – $30K with an experience of 5+ years. 
  • UK – $75K with an experience of 3+ years.
  • US – $90K with experience of 7+ years

It must be noted that the comparison is not fair since CISSP holders are having an average of 15 Years Experience whereas CISM holders are having an average experience of 5 years. – Me Myself!

But This is the reality. You won’t just easily find people who have 20 years of experience and hold only CISM and no CISSP. Even if you do, They have other Top Certs like PMP giving them that leverage.

Here is one more comparison for reference

For CISM With Other Certs like CISSP or PMP.

  • India – $62K at Executive Position with an experience of 25+ years. 
  • UK – $160K at Executive Position with an experience of 22+ years
  • US – $145K at Executive Position with an experience of 25+ years

It is so amazing to see all these CISM holders are working on Executive Positions and This fact can be easily understood from our talk above in learning curve..

Final Words – The Conclusion, hmmm

I want to thank you for reading this far and hope I was able to do proper justice with this topic. It is absolutely clear that If you are looking to start your journey, CISSP is a definite Yes! and the good news is that you can start with CISSP MasterClass™ and pass this exam within 5 weeks.

But if you already have it, Just go ahead and get a CISM for yourself. It will help you to grow further. I am not all the best trainer on CISM however my friend is. I can definitely help and introduce you to him. Maybe just book a free consulting call with me and let’s plan out the best way for you – Book Now! >>>


P.S. Would you mind sharing this post on your social media so that it may help other people also.
They will thank you for such a good content, So just hit that share button below.