Home > Test Pass Academy Blog > Reading Post: Should I take the CISA or CISM Certification Exam?

Should I take the CISA or CISM Certification Exam?

JUNE 20, 2014

Which certification is better for my career or holds more weight?

Let us start off by saying these certifications are for 2 different groups of people. The CISA, which stands for Certified Information Systems Auditor is for IT auditors. The CISM, which stands for Certified Information Security Manager is for IT security managers. They are both part of ISACA's certification program, but that is really the only similarity.

Who is the CISM for?

In our years as an Information Security Training Company we get many requests from attendees who are looking to fulfill the Department of Defense .8570 requirements. The CISM focuses on information risk management as the basis of information security and is intended for those who manage designs, and oversee and assess an enterprise’s information security.

The CISM fits in the DoD Information Assurance Management Level Category and meets the certification requirement for the top 2 levels, level 2 and 3 for this category. If you need to be certified in the top level, which is level 3, then the CISM would do the trick. As a side note, the CISSP is also in this category and meets Management level 3.

Who is the CISA for?

We do see requests from the Department of Defense Contractors for the CISA, but for the most part we see people from Corporate America seeking this certification. The CISA has been around for well over 30 years and is the premier certification for IT systems auditors who audit, control, monitor and assess. In terms of people who became certified, the CISA well out weights the CISM in terms of numbers.

In terms of Department of Defense .8570 requirements the CISA fulfills Information Assurance Technical Level 3, which is the highest level. In 2011, the CISA examination underwent a significant update and was revised from 6 domains down to 5. As another side note, the CISSP is also in this category and meets Technical Level 3.

CISM vs. CISA Exam Objectives

As you can see below, the CISM and CISA will test an individual on different exam objectives. Remember CISA is for the hands-on auditor, while the CISM is for Management level.

CISM Exam Domains:
Domain 1 - Information Security Governance
Domain 2 - Information Risk Management
Domain 3 - Information Security Program Development and Management
Domain 4 - Information Security Incident Management

CISA Exam Domains:
Domain 1—The Process of Auditing Information Systems
Domain 2—Governance and Management of IT
Domain 3—Information Systems Acquisition, Development and Implementation
Domain 4—Information Systems Operations, Maintenance and Support
Domain 5—Protection of Information Assets

In Summary

The CISA and CISM are both higher level certifications and require experience just to be able to take the exam. You will be thoroughly tested on each of the domains as listed by the certification above. If you audit, control, monitor and assess an organization’s information technology and business systems the CISA is the path for you.

If you focus on information risk management issues such as: how to govern information security as well as on practical issues such as developing and managing an information security program and managing incidents the CISM is best suited for you.

As you probably noted we mentioned the CISSP in both the CISM and CISA categories. If you already have your CISSP and are looking for another higher level certification the CISM or CISA would complement it nicely. Although we see a lot more job descriptions asking for the CISSP and CISM together versus the CISSP and CISA together.