CISM and CISA are meant for people on different career paths. The CISM is for IT security managers and information risk managers, while the CISA is for IT auditors. In this article, we’ll look at the differences between the two certifications and why someone would choose one over the other.
The CISM is an intermediate-level, or higher, qualification for those wanting to excel in information risk management and information security management.
The CISA is a premier IT systems auditor credential recognized globally.
Both certifications require that candidates must have at least five years of relevant experience. A CISM candidate must have 5 years of experience, with 3 of those being directly related to information security management. The CISA, however, allows partial waivers, often as a result of university education.
While the CISA is for auditors, and specifically for those who practice their art, the CISM is not for practitioners. ISACA describes the CISM as being for individuals who have progressed beyond being a practitioner, and who have moved on to the management of an enterprise’s information security program.
In short, the CISM is for managers of hands-on information security specialists, while the CISA is for hands-on auditors.
Companies want CISM-certified individuals when the role involves information security management, disaster planning, information risk management, enterprise architecture, and business continuity.
Job descriptions often involve project or program management, information assurance, development of policies and standards, and assuring compliance. CISM holders must have a security background in areas such as systems hardening or perimeter and network security.
Companies want CISA-certified individuals when the role involves IT auditing, controls, and information security.
Job descriptions often involve accounting, finance, regulatory compliance, and is most often simply auditing of IT infrastructure. Regarding regulatory compliance, the CISA holder may audit HIPAA, SOX, NIST, GLBA, or FISMA.
CISM and CISA
Companies wanting one certification will often also ask for the other. This could be problematic for interviewees, but having both certifications will solve this problem, while qualifying you for a wider range of positions.
Certified individuals know their own qualifications best and will easily be judged by matching experience against a job. Everyone will also better understand how experience and knowledge fit a job’s responsibilities during an interview.
The two certifications target different professionals, with the CISA being for IT auditors, and the CISM for information risk managers and IT security managers. It is clear to see the CISA and CISM are different and should be seen as such.