CISSP vs CISM vs CASP vs CCISO

‘CISSP’ or the ‘Certified Information Systems Security Professional’, CISM or the ‘Certified Information Systems Auditor’, CASP or the ‘CompTIA Advanced Security Practitioner’ and CCISO or ‘Certified Chief Information security officer’ are all Information security domain’s leading certifications. This document compares the four certifications in a broad way.

CISSP:

‘CISSP’ or the ‘Certified Information Systems Security Professional’ from (ISC)² is the ultimate certification that all cybersecurity professionals aim to achieve in their career. Earning the CISSP demonstrates that you have the capability to “effectively design, implement and manage a best-in-class cybersecurity program” (CISSP – The World’s Premier Cybersecurity Certification)

The CISSP exam covers almost every aspect of Information security in a broad way. It is popularly referred to as the certification that is “a mile wide and an inch deep”!! The CISSP exam is a much more technical and operational certification than other certifications.

Job roles that require the CISSP:

While the CISSP is an internationally accepted certification for all cyber security aspirants, the following job roles would particularly gain from getting the CISSP certification:

1. Chief Information Officer
2. Chief Information Security Officer
3. Director of Security
4. IT Director/Manager
5. Network Architect
6. Security Analyst
7. Security Architect
8. Security Auditor
9. Security Consultant
10. Security Manager
11. Security Systems Engineer 

Pre-requisite to take the exam: 

A CISSP candidate must demonstrate a minimum of 5 years of full-time security experience in two of the eight domains of the (ISC)² CISSP CBK(Common body of knowledge)

Domains in the CISSP:

In order to pass the CISSP exam, the candidate needs to have mastery of the following eight domains to pass the exam.

1. Security and Risk Management Domain
2. Asset Security Domain
3. Security Architecture and Engineering Domain
4. Communication and Network Security Domain
5. Identity and Access Management (IAM) Domain
6. Security Assessment and Testing Domain
7. Security Operations Domain
8. Software Development Security

Exam details:

1. The exam has about 100-150 questions
2. The candidate must score 700 out of a possible 1000 points to pass the exam
3. The duration of the exam is about 3 hrs.
4. All English versions of the CISSP exam use CAT or ‘Computerized adaptive testing’
5. The candidate can check the pricing of the exam from this link

Endorsement process:

All candidates who pass the exam must complete the endorsement process within 9 months.  The application must be endorsed and digitally signed by an (ISC)²  professional. The endorser must attest to the candidate’s work experience in the IT security industry.

Once the candidate receives his CISSP credential from (ISC)²  they become a member of (ISC)². The candidate should then recertify every 3 years.

Maintaining the certification:

Recertification is done by earning CPEs or ‘Continuing professional education’ and by paying AMF (annual maintenance fees) of 85$.

CPEs can be earned by joining webinars, attending events, reading and writing about Information security articles and books or volunteering.

CCISO:

The ‘Certified Chief Information Security Officer’or CCISO program is a leadership program designed by EC-Council. It is aimed at promoting middle level cyber security professionals to Executive leaders. It is also aimed at Executive leaders to sharpen their skills. It is a natural progression after the CISSP certification for all CISO’s and aspiring CISOs.

Domains:

There are five domains in the CCSIO program

1. Governance and risk management
2. Information Security Controls, Compliance and Audit management
3. Security Program management and operations
4. Information Security core competencies
5. Strategic planning, finance, procurement and vendor management

Pre-requisites:

1. The candidate must have 5 years of experience in each of the domains listed above(the five years will overlap) A maximum of 3 years of waivers in each domain are given in case a candidate has an appropriate degree or certificate in Information security. Once this is approved, the candidate is allowed to take the exam.
2. In case the candidate does not have the required experience, he/she can take the official CCSIO training. Once the candidate completes the training he/she must demonstrate 5 years of experience in at least 3 of the domains listed to take the exam.
3. If the candidates do not have the desired experience but would like to prepare themselves for the CCISO program, they can take the EC-Council Information Security Management (EISM) certification. 

Exam details:

1. The duration of the exam is 150 minutes or 2 ½ hrs.
2. There are 150 questions in the exam
3. The format of the exam is scenario based multiple choice
4. The exam demands a pass of 72%
5. The CCISO application fee is 100$

Maintaining and renewing the certification:

The CCISO certification is valid for one year. It can be renewed by paying 100$ and satisfying continuing education requirements.

CISM:

The ‘Certified Information Security Manager’ from ISACA is for Information security professionals who would like to move from being a team player in the InfoSec domain to a manager.  Unlike, the CISSP, the CISM is a management focused exam and enables InfoSec professionals to move from the technical realm into management.

The average salary of CISM certified professionals in the US is $118K.

“CISM is accredited by the American National Standards Institute (ANSI) under ISO/IEC 17024:2012” (Take your career to the next level – with CISM) 

Domains in the CISM exam:

There are four domains in the CISM exam and they are much more focused than the CISSP. They are:

1. Information Security Governance (24%)
2. Information Risk Management (30%)
3. Information Security Program Development and Management (27%)
4. Information Security Incident and Management (19%)

Pre-requisite to take the exam:

Candidates need to have five (5) or more years of experience in Information security out of which 3 years must be in the role of Information security manager in order to take the CISM exam.

However, experience waivers are available for a maximum of two (2) years.

Exam detail:

1. The exam contains 150 questions in multiple choice format
2. The exam, is for a duration of 4 hours
3. ISACA uses a 200-800 point scale with 450 as the passing mark for the exams. A scaled score is a conversion of the raw score on an exam to a common scale. It is important to note that the exam score is not based on an arithmetic or percent average. A candidate must receive a scaled score of 450 or higher to pass the exam.
4. Exam registration fees are based on membership status at the time of exam registration.

• ISACA Member: US $575
• ISACA Nonmember: US $760

Maintaining the certification:

Once certified, CISM professionals must maintain their certification by keeping their skills current and up to date. This can be done by complying with the continuing professional education (CPE) policy.

The CPE policy requires an individual to earn a minimum of twenty (20) continuing professional education (CPE) hours annually.

The candidate should also earn one hundred and twenty (120) continuing professional education (CPE) hours for every three year cycle.

In addition, an annual maintenance fee of US $45 for ISACA members and US $80 for non-ISACA members is required.

The candidate should also comply with ISACA’s code of Professional Ethics.

CASP+:

The ‘CompTIA advanced security practitioner exam’ (CASP+) is an advanced Information security certification that is suited for InfoSec practitioners who seek a hands on, performance based certification.

From the CompTIA site, here is a description of the CASP+ certification: The “CASP+ covers the technical knowledge and skills required to conceptualize, engineer, integrate and implement secure solutions across complex environments to support a resilient enterprise” (CompTIA Advanced Security Practitioner (CASP+))

The CASP+ certification is compliant with ISO 17024 standards and approved by the US DoD(Department of Defense) to meet directive 8140/8570.01-M requirements.

Job roles that require CASP+:

While the CASP+ certification would benefit all professionals in the InfoSec domain, the following job roles definitely require CASP+:

1. Security architect
2. Technical lead analyst
3. Application Security Engineer
4. Security Engineer

Pre-requisite:

The candidate should have a minimum of 10 years of experience in IT administration out of which 5 years should include technical hands on security experience.

Skills tested:

The candidate is tested on the following areas:

1. Risk management
2. Enterprise security architecture and operations
3. Research and collaboration
4. Integration of enterprise security

Exam details:

1. The exam contains a maximum of 90 questions which are in multiple choice format
2. The exam is for a duration of 165 minutes
3. The cost of the exam is $452(USD)
4. The result of this exam is not a scaled score. There is a PASS/FAIL result only.

Maintaining and renewing your certification:

The CASP+ certification is valid for three years from the date of receiving it. In order to stay current with the skills that evolve each year, candidates can extend their certification by three years, by participating in the CompTIA continuing education program (CE).

In the CE program, candidates can participate in training programs and activities according to their certification to renew it. They have to collect 75 CEUs (Continuing Education Units) and upload it to their account within three years to automatically renew their certification.

The CASP+ certification plus the CE program also carries the ISO/ANSI accreditation status.

Career advancement with CISSP, CISM and CASP:

Once the candidate achieves the CISSP, CISM and/or CASP credential under their belt, candidates will get more respect and credibility in the Information security community! CISSP/ CISM/ CASP+ candidates will be exposed to better job opportunities for a brighter career.

Many job titles demand advanced certifications like CISSP, CISM or CASP+. Here are a few of them:

1. Security analyst
2. IT Security Engineer
3. Security Delivery Specialist

These are a few job descriptions that require a CISSP, CISM which have been posted on popular job portals in India and USA.

Here is a gist of the comparison of the different certifications:

We hope the differences between the CISSP, CISM, CASP+ and CCISO were useful to you. For more information on InfoSec Train’s leading courses and certifications do visit our homepage at this link. https://www.infosectrain.com

AUTHOR
Jayanthi Manikandan ( )
Cyber Security Analyst

“ Jayanthi Manikandan has a Master’s degree in Information systems with a specialization in Information Assurance from Walsh college, Detroit, MI. She is passionate about Information security and has been writing about it for the past 6 years. She is currently ‘Security researcher at InfoSec train. “