CISSP is aimed at the operational side of IT security, while CISM focuses on the strategic side of IT security. CISSP is more suitable for hands-on professionals, while CISM is suitable for professionals that manage IT security. CISM is involved with IT governance frameworks, and its focus is higher than CISSP. CISSP has 10 domains while CISM has nearly half.
Though CISSP also mentions laws/acts like SOX, GLBA, etc., it says nothing about risk management methodologies like CoBIT and OCTAVE, business scorecards, and process maturity measurements (CMMI). That’s because CISSP is tactical, while CISM is strategic.
CISM talks about roles and responsibilities of senior management in the context of an IT governance framework, including things such as value delivery, strategic alignment, resource utilization, business process assurance, and performance measurement.
CISM focuses on information security, while CISSP focuses on IT security, a subset of information security. Which one of these certifications is better for you will depend entirely on your ultimate career goals.
Both CISSP & CISM are ANSI Accredited under ISO/IEC 17024 (PMP, CISA, and CPP are also accredited, while CGEIT is not yet accredited). It could be valuable for certain individuals to hold both CISSP and CISM certificates. For those planning to do both, is makes sense to take CISSP first and then CISM.