CISM vs CISSP: Which Should You Take First in 2026?

CISM vs CISSP: The Numbers at a Glance

CISM sits at 150 multiple-choice questions delivered over 240 minutes at a PSI testing centre or via remote proctoring. The passing score is 450 out of 800 on ISACA's scaled scoring system. The exam fee is $760 USD for non-members.

CISSP uses Computerised Adaptive Testing (CAT), meaning you will see between 100 and 150 questions depending on how the adaptive algorithm tracks your demonstrated ability. The time limit is 180 minutes, the passing score is 700 out of 1000, and the exam fee is $749 USD. Questions include multiple choice and advanced item types such as drag-and-drop and hotspot. Testing takes place at Pearson VUE authorised centres.

On paper the two exams cost roughly the same and sit at the same professional level. The differences run deeper than the statistics: the domain structures, the question philosophy, and the experience requirements are shaped by two distinct bodies with two distinct ideas of what a security professional needs to demonstrate.

What CISM Actually Tests

CISM has four domains. Information Security Governance carries 17% of the exam, Information Security Risk Management 20%, Information Security Program 33%, and Incident Management 30%. The heaviest domain - the security programme itself - covers resource planning, asset classification, control design and selection, awareness training, and third-party risk. Incident Management covers the full lifecycle from BIA and BCP through eradication and post-incident review.

Notice what is absent: there is no cryptography domain, no network architecture domain, and no software development domain. CISM does not test whether you can configure a firewall or explain the Bell-LaPadula model. It tests whether you can run a security programme, manage resources, report risk to the board, and lead a response when things go wrong.

The question style reflects that. A CISM question typically presents a scenario - a budget decision, a risk treatment choice, a stakeholder communication challenge - and asks what the security manager should do first or which option is most appropriate. The correct answer is almost always the one that aligns with business objectives, follows governance structures, or addresses residual risk in a documented way. Technical implementation detail is rarely the deciding factor.

What CISSP Actually Tests

CISSP covers eight domains with weights spread fairly evenly. Security and Risk Management leads at 16%, followed by Security Architecture and Engineering, Communication and Network Security, Identity and Access Management, and Security Operations at 13% each. Security Assessment and Testing sits at 12%, with Asset Security and Software Development Security each at 10%.

That spread reflects the breadth (ISC)2 expects of a CISSP holder. You need to demonstrate literacy in cryptographic solutions, network segmentation and micro-segmentation, formal security models such as Bell-LaPadula and Biba, supply chain risk management, digital forensics, and secure coding standards. The coverage is genuinely wide.

Despite that breadth, CISSP questions are not purely technical. The widely repeated advice for CISSP candidates is to think like a manager, meaning the exam frequently rewards the answer that manages risk appropriately over the answer that applies the most technically sophisticated control. A question about a discovered vulnerability will often have a correct answer that involves notifying management and following change control before applying a patch - not jumping straight to the fix. That management lens is something CISSP and CISM share, even though CISSP's underlying knowledge base is far wider.

Experience: What Each Credential Expects

Both credentials require documented professional experience, and both organisations verify it.

CISM requires five years of information security work experience, with at least three years in information security management and coverage across three or more of the four CISM practice domains. ISACA does allow waivers of up to two years for holding certain other credentials or completing a relevant graduate degree, bringing the minimum down to three years in specific circumstances. The management experience requirement is firm - you cannot substitute general security work for it.

CISSP requires five years of cumulative paid work experience in two or more of the eight CISSP domains. A four-year degree or an approved credential can waive one year, reducing the requirement to four years in those cases. Candidates who pass the exam before meeting the full experience requirement become an Associate of (ISC)2 and have six years to accumulate the remaining experience before the CISSP is awarded.

Both credentials require ongoing continuing professional education after award - CPE credits on an annual and three-year cycle - to maintain active status. Neither is a pass-once-and-keep-forever credential.

Which to Take First: A Decision by Career Stage

The career stage you are at now matters more than abstract prestige rankings.

If you are a security analyst, engineer, or architect with technical depth and you want a credential that validates broad professional competence to a hiring manager, take CISSP first. The eight-domain structure maps well to technical security careers. The credential is widely recognised in job postings that ask for senior security engineering, architecture, or generalist security roles. The CAT format also means a well-prepared candidate can finish in far fewer than 150 questions if performance is strong.

If you are already in a security management role - managing a team, a programme, or a budget - or you are being promoted into one, take CISM first. The four-domain structure maps directly to what you will do every day: governance decisions, risk reporting to the board, programme oversight, and incident response leadership. ISACA's focus on the manager's decision-making process means the exam preparation itself will make you better at your current job in a way that CISSP preparation may not.

If you are mid-career with a mix of technical and management experience and you are targeting a CISO-track role, the combination of CISSP and CISM is a credible path. Many CISOs hold both. In that case, CISSP is often taken first because it validates the technical foundation, and CISM follows once the management responsibilities and the required CISM experience years are in place. Neither credential requires the other as a prerequisite, but CISSP's broader domain coverage tends to build a solid base for CISM's management-focused questions.

A practical note: if you are currently closer to the start of your career and cannot yet meet the experience requirement for either exam, you can sit the CISSP exam and hold the Associate of (ISC)2 designation while you accumulate the remaining years. ISACA does not offer a comparable associate pathway for CISM.

Which Exam Is Harder?

Candidates who ask which exam is harder usually mean: which requires more preparation time, and which has a higher risk of failing on the first attempt? The honest answer is that it depends on your background.

CISSP's eight-domain breadth means candidates with deep specialisations - say, a network engineer or an application security developer - will have significant gaps to fill. The volume of material is large, and the CAT format means there is no partial credit for domain knowledge you have and no benefit from guessing through a fixed question set. Candidates who underestimate the management-lens requirement and study purely for technical recall tend to struggle.

CISM is narrower in subject matter but the questions require genuine managerial judgement. Candidates with purely technical backgrounds often find that the 'right' CISM answer is counterintuitive - the exam consistently rewards escalating to governance structures, accepting documented residual risk, and aligning decisions with the business strategy over taking direct technical action. Candidates who expect a technical exam are often surprised.

Both exams have a reputation for ambiguous-seeming questions with two plausible answers. The skill being tested in those cases is the ability to apply the correct decision-making framework for the credential's audience - which is also the skill that makes you more effective in the role the credential represents.

Why Practice Question Quality Matters More Than Quantity

For either exam, raw question volume is a poor proxy for readiness. Both CISM and CISSP test reasoning and judgement, not recall of isolated facts. A candidate who has worked through a thousand questions but cannot explain why each distractor is wrong is not as prepared as one who has worked through three hundred questions with a thorough explanation for every option.

The most useful practice material gives you a worked explanation for the correct answer and a specific rationale for each wrong option - why that distractor is plausible, what it would be testing if it were correct, and what misconception it is designed to catch. This kind of per-distractor feedback is what converts practice into genuine understanding of the exam's decision-making framework.

For CISM, that means understanding not just what governance frameworks exist but why a given scenario calls for one action over another. For CISSP, it means being able to explain why the technically correct option is wrong when the management-appropriate option is available. Practising on questions audited against the official exam content outline - where every item maps to a specific domain objective - builds confidence that your preparation covers the full scope of what the exam can test.