CISM, CISA & CRISC – WHICH CERTIFICATION TO TAKE?
If you've set your sights on a career in cybersecurity, you've undoubtedly made a prudent decision! The demand for adept information security experts is robust and is expected to remain so in the foreseeable future, promising considerable financial rewards. As per the 2018 IT Skills and Salary Report by Global Knowledge, a substantial 41 percent of U.S. employers express the challenge of sourcing qualified cybersecurity professionals, and those holding certifications tend to earn an average of 22 percent more compared to their uncertified peers.
On the global stage, two prominent names stand out as leaders in cybersecurity certification: ISACA and (ISC)2. At the zenith of (ISC)2's offerings lies the Certified Information Systems Security Professional (CISSP), while ISACA presents three certifications in the security domain: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), and Certified in Risk and Information Systems Control (CRISC).
All of these certifications are tailored for professionals boasting at least five years of work experience in the field. With this in mind, how can you determine the most suitable choice for your needs? To facilitate your decision-making process, let's delve into a comprehensive exploration of each certification.
Established in 1969, the Information Systems Audit and Control Association (ISACA) holds global recognition and high esteem, boasting a membership of over 140,000 across 180 countries. ISACA provides four distinct credentials tailored to various IT professionals:
All candidates are required to:
ISACA certifications remain valid for three years. An annual maintenance fee ($45 for members, and $85 for non-members) is obligatory. To renew the credential, holders must accumulate 120 Continuing Professional Education (CPE) credits, with a minimum of 20 CPEs earned per year.
Drawing a comparison with CISSP aids in comprehending CISM. Although both certifications encompass aspects of cybersecurity and management, CISSP specifically delves into the operational and technical dimensions of security. On the other hand, CISM revolves around security's strategic dimension and its alignment with business objectives.
Specifically tailored for information security managers, CISM is directed at individuals who assess, design, manage, and oversee enterprise-level information security environments. Candidates should possess a comprehensive grasp of available technologies and their implementation within their organization. The CISM certification attests to a candidate's expertise across four domains:
Eligible candidates for the CISM exam must possess a minimum of five years of experience in information security, with three years spent in at least three of the designated domains. All experience must be garnered within the past decade to qualify. Exam results are nullified if the experience requirement isn't met within five years of exam success. Certain substitutions are permissible to fulfill the experience requirement, contingent on other held certifications and education.
The CISA credential is intended for IT professionals in governance and audit-related roles. Common roles for CISA-certified professionals encompass IS/IT auditors, audit managers, non-IT auditors, consultants, and those involved in governance, assurance, security, audit control, and enterprise leadership positions.
CISA certification authenticates a candidate's capacity to evaluate, manage, control, and continually monitor enterprise IT business systems. The requisite proficiencies are delineated in the five CISA job practice domains:
To earn the credential, candidates must possess a minimum of five years of professional experience in auditing, controlling, or securing information systems (with some allowances for education) and pass the CISA exam. The CISA preparation process may encompass attending review classes, enrolling in online courses, or utilizing software, review manuals, and study guides. Following exam success, candidates must also adhere to the Information Systems Auditing Standards.
The CRISC credential is purpose-built for professionals engaged in enterprise-level IT risk management. Typical CRISC candidates include CIOs/CISOs, business analysts, project managers, and IT professionals involved in risk management, control, assurance activities, and compliance.
The CRISC job domains encompass:
To be eligible for CRISC certification, you must have at least three years of practical experience in overseeing information security programs across two or more of the CRISC job domains, which must include Domain 1 or 2. This experience should be accrued within the preceding 10 years before application or within five years of passing the exam.