If you're weighing CISA vs CISM, you're probably already halfway into your career and trying to decide which track to commit to. That's the actual question most people have when they compare these two — not "which is better?" but "which one fits the career I'm building?"
Here's the short version. CISA is for people who evaluate — auditors, compliance analysts, the ones who assess whether controls are working. CISM is for people who run security — managers, directors, the ones who own the outcome. Both carry weight. They just point at different jobs.
That distinction sounds obvious on paper, and it breaks down the moment you actually have to pick.
The comparison, at a glance
| CISA | CISM | |
|---|---|---|
| Focus | IS auditing, controls, assurance | Security governance, risk, program management |
| Built for | Evaluating systems and controls | Running security programs |
| Typical roles | IS auditor, IT audit manager, compliance officer | Security manager, director, CISO |
| Exam format | 150 questions, 4 hours | 150 questions, 4 hours |
| Passing score | 450 / 800 | 450 / 800 |
| Cost | $575 member / $760 non-member | $575 / $760 |
| Experience | 5 years in IS auditing or IS security | 5 years in information security management |
| Waivers | Up to 3 years for degrees and other credentials | Limited — management experience is the point |
| Holders | 200,000+ since 1978 | Smaller pool, growing fast |
Salary is deliberately not in that table. We'll get to it, and the averages you've seen quoted online are misleading in a way worth understanding.
The real question is about orientation, not content
Both exams cover similar ground on the surface — governance, risk, controls, incident response. The difference is where each cert sits in the decision chain.
CISA is oriented toward the person coming in after the fact. You're reading the policy, sampling the evidence, writing the finding. You're asking "did this work, and how do we know?" Your deliverable is an opinion backed by documentation.
CISM is oriented toward the person who owned the policy in the first place. You wrote it, you staffed it, you're explaining it to the board, and when something breaks you're the one on the call. Your deliverable is a functioning program.
That framing maps onto the domains pretty directly. On the CISA side, the two biggest domains — IT Operations and Resilience (26%) and Protection of Information Assets (26%) — are both evaluation domains. You're looking at someone else's access controls, someone else's change management, someone else's backups, and judging them. On the CISM side, the weight is different. Program Development and Management is 33% by itself, and Incident Management is another 30%. More than 60% of the exam is about building and running things, not reviewing them.
A note on CISM's Domain 3, because this is where most people with non-management backgrounds hit a wall. It's not a technical domain. It's budgets, staffing models, vendor contracts, metrics, stakeholder communication, and the unsexy middle-management work of actually keeping a security program running. If you've never written a program charter or defended a budget to a CFO, the vocabulary will feel foreign. That's the domain that humbles engineers.
CISA's domains are more predictable by comparison. If you've done audit work, the exam mostly tests whether you can apply methodology consistently. It's deep, but it's deep in one direction.
Experience requirements: where the ambiguity lives
Both certs require five years of qualifying experience. Both let you sit for the exam first and get certified once you've met the requirement. The trickier part is what counts as qualifying.
CISA defines this fairly narrowly: IS auditing, IT audit, IS internal audit, or IS security audit work. ISACA will waive up to three of the five years with a relevant degree or other credentials, so people without full audit careers can still get there.
CISM's waivers are real but the spirit of the requirement is stricter. ISACA wants five years of information security management — meaning roles where you were managing security work, not just performing it. This is where candidates fudge, and it's where ISACA's verifiers push back. Being the senior engineer on a team isn't management. Leading a compliance initiative is. Owning the endpoint security program end-to-end is. Reviewing tickets and running scans is not.
I worked with someone who had twelve years in network security and assumed CISM was the obvious next move. He passed the exam (he's sharp), but when he submitted his experience verification, three of the five years he listed got bounced. He'd been a senior engineer, not a manager, and his write-ups described implementations rather than ownership. He had to rework his documentation, get a former manager to verify specific leadership work, and wait out another year of actual program ownership before he could get certified. The exam was the easy part. The experience verification was where the cert actually got earned.
If you're not sure whether your experience qualifies, email ISACA's cert team before you register. They'll tell you. It's a boring email to send and it saves people a lot of trouble.
Difficulty: comparable, but for different people
Both exams are hard. They have the same length, same passing score, and similar pass rates (neither is published, but anecdotally both sit in the 50-65% range).
What varies is who finds which one harder.
If you're coming from an audit or compliance background, CISA will feel familiar and CISM will feel like it's testing a job you don't have. If you're coming from a security management role, the reverse. Neither exam is an intelligence test — they're a fit test for the kind of work you've actually been doing.
One pattern I've noticed: auditors moving toward management sometimes assume CISM will be the easier of the two because "it's less technical." It isn't, and the governance and program-development questions bite them. Meanwhile, engineers with no audit exposure sometimes assume CISA will be the gentler option because "audit is just documentation." It isn't — the methodology is a real discipline, and the exam tests it seriously.
Salary, honestly
You've probably seen numbers like "CISA average $145K, CISM average $118K." Those are real ISACA compensation figures, but they're misleading in a specific way.
CISA salaries are more predictable because audit roles are more predictable. Senior IS auditors, IT audit managers, compliance officers — these are defined jobs with defined salary bands, especially in finance and Big Four consulting. The distribution is tight.
CISM salaries are all over the place because the jobs are. A CISM-certified security manager at a mid-market company might earn $120K. A CISM-certified CISO at a regional healthcare system might earn $280K. The average gets pulled down by the larger base of mid-level security managers, but the ceiling is much higher than the CISA ceiling.
If your goal is a stable, well-paid career in audit or compliance, CISA's economics are strong and consistent. If you're aiming at a CISO or VP role eventually, CISM has more upside — but the path is less linear and the average doesn't capture it.
Career paths
CISA tracks into:
- IS auditor
- IT audit manager
- Compliance analyst
- IT risk analyst
- Internal audit director
- Compliance officer, or Chief Audit Executive in larger orgs
You're independent by design. Your value comes from being trusted to evaluate something without being captured by the people running it.
CISM tracks into roles where you're accountable for the security posture, not the assessment of it — information security manager, security director, CISO, GRC manager (in the security-leaning version of the role), head of security operations, IR, or governance.
Both tracks can end up at the executive level. CISA lands people at Chief Audit Executive, CISM at CISO. They get there through different buildings on the same campus.
When it's worth getting both
Occasionally it is. Not often.
Getting both makes sense if you're building toward a CISO role in a heavily regulated industry — finance, healthcare, federal contracting — where your credibility with auditors and regulators is part of the job. It also makes sense if you want real optionality between the compliance side and the security-leadership side of the house. A CISM with a CISA is unusually well-positioned for CISO roles at banks and insurers.
For most people, it's overkill. Pick the one that matches the next job you want, not the one that matches the job after that.
So which one
If you're doing audit or compliance work now, get CISA. If you're managing security people, budgets, or programs — or are about to — get CISM. If you're on the fence because your role straddles them, look at the job title you want in three years and pick the cert that shows up in that job's postings most often. That's almost always the right answer.
There's a related read on the full ISACA lineup if you're still orienting: the ISACA certification path guide walks through where CISA and CISM sit relative to CRISC, CGEIT, and CDPSE. If you've already picked and want to plan the timeline, how long to study for CISA and how long to study for CISM both have week-by-week breakdowns.
Before you commit either way, spend 20 minutes on a short diagnostic for each exam. Most people have a clear "this one feels like my job" reaction within the first 30 questions — and occasionally it's the opposite of what they assumed walking in.
Try a free CISA diagnostic or a free CISM diagnostic — no signup, per-domain results, about 20 minutes each.