A reader recently asked me about the CISM versus the CISSP. Specifically, he asked, “How hard is the CISM for someone who passed the CISSP?”
Having earned both certs (and a few more besides), and having written study guides for both, I felt qualified to help this individual. My answer follows.
CISM is much heavier on security management and risk management than CISSP. You’ll have to study these topics, and the business side of information security. To paint with a broad brush, you could say that CISM is for CISO’s while CISSP is for security engineers. That, in essence, is the distinction.
Oh and there’s a great study guide out for the CISM: https://www.amazon.com/Certified-Information-Security-Manager-Guide-ebook/dp/B079Z1J87M
I passed my CISSP almost 20 years ago while I was still a hands-on technologist. I studied for my CISA two years later. I learned through my ISACA CISA study materials (provided by my employer) that ISACA has a vastly different vocabulary for infosec than does (ISC)2. Think of it as a business perspective versus an engineering perspective. Both are right, both are valid, both are highly valued in the employment market. But they are different. Master both, and you’ll be a rare treasure.
Study guides for CISSP:
Study guides for CISM: