CISM vs CISA: Which ISACA Certification Is Right for You? (2026)

Both CISM and CISA are ISACA's most respected certifications. Both require five years of experience. Both cost the same to take. So why do they lead to completely different careers?

The short answer: CISM is for security managers who build and run programs. CISA is for auditors who evaluate whether those programs work. If you lead a team, CISM. If you review controls and write audit reports, CISA.

But there's more nuance — especially with the April 2026 CISSP experience waiver update, which keeps CISM on the list but removes CISA. That's a meaningful signal about how ISC2 views the two credentials relative to broad security expertise.

Quick Comparison: CISM vs CISA at a Glance

What Is CISM?

The Certified Information Security Manager (CISM) is ISACA's credential for security professionals who manage, design, and oversee information security programs. It's explicitly a management certification — not a technical one.

CISM covers four domains:

• Information Security Governance (17%) — Aligning security strategy with business objectives, governance frameworks, roles and responsibilities
• Information Security Risk Management (20%) — Risk identification, assessment, treatment, monitoring, and reporting
• Information Security Program (33%) — Building and managing security programs, architectures, awareness, and metrics
• Incident Management (30%) — Response planning, BCP/DRP integration, post-incident review

The CISM exam tests how you think as a security manager — not whether you can configure a firewall. Every question asks what the security manager should do to protect the organization and support business objectives. That management lens is what distinguishes CISM from every technical certification.

What Is CISA?

The Certified Information Systems Auditor (CISA) is ISACA's credential for IT auditors and control assessment professionals. It's one of the oldest and most globally recognized certifications in the field — ISACA introduced CISA in 1978, predating CISM by over two decades.

CISA covers five domains:

• Information System Auditing Process (21%) — Audit standards, risk-based audit planning, audit execution and reporting
• Governance and Management of IT (17%) — IT governance frameworks, enterprise architecture, policies and procedures
• Information Systems Acquisition, Development and Implementation (12%) — Project management, SDLC, change management
• Information Systems Operations and Business Resilience (23%) — IT service management, incident management, BCP/DRP
• Protection of Information Assets (27%) — Access controls, network security, encryption, physical security

CISA tests your ability to evaluate whether controls are designed and operating effectively. Where CISM asks "what should we do?", CISA asks "is what they're doing working?"

Exam Format & Difficulty

On the surface, both exams look identical: 150 questions, 4 hours, 450 passing score on a 200–800 scale. But the style of questions is different enough that passing one doesn't automatically prepare you for the other.

CISM Exam: Management Mindset

CISM questions are scenario-based and ask what a security manager should do first, most importantly, or as a best practice. The correct answer often involves a management action (conducting a risk assessment, updating the security policy, escalating to senior management) rather than a technical fix.

Many candidates with strong technical backgrounds initially struggle because they instinctively pick the technical answer. The CISM exam format rewards candidates who can subordinate technical thinking to business and governance priorities.

CISA Exam: Audit Process Thinking

CISA questions focus on audit methodology — what an auditor should do when they discover a finding, how to assess control effectiveness, what constitutes sufficient audit evidence. The mindset is one of independence and objectivity: your job is to evaluate, not to fix.

Which Is Harder?

Most candidates who've taken both report that CISM is slightly harder for technical professionals transitioning to management roles, while CISA is harder for those without auditing experience. The estimated pass rates are similar — roughly 50–65% on the first attempt for both — which reflects ISACA's consistent calibration across its certifications.

Experience Requirements

Both certifications require five years of relevant experience — but "relevant" means different things for each.

CISM Experience Requirements

You need five years of information security work experience, with a minimum of three years in information security management. That management experience must span at least three of the four CISM domains, and it must have been earned in the ten years immediately preceding your exam or within five years of passing.

ISACA offers a limited education substitution: a graduate degree in information security or IT can substitute for one year of general IS experience (but not the management-specific requirement). See our CISM experience requirements guide for the full breakdown.

CISA Experience Requirements

You need five years of IS audit, control, assurance, or security work experience. CISA offers more substitution flexibility: up to two years can be replaced with a related bachelor's or master's degree, or a two-year degree in IS. Full-time university teaching in a related subject also counts (one year of teaching = one year of experience, up to two years max).

The practical difference: CISA's substitutions are more flexible, but the core requirement — direct audit or control experience — is specific. If you've never worked in audit, it can be harder to accumulate qualifying CISA hours than CISM hours.

CISM vs CISA Salary Comparison

Salary is one of the most-asked questions in the CISM vs CISA comparison. The answer: CISM holders generally earn more, reflecting the premium on security leadership roles.

CISM Salary Data

According to ISACA's most recent compensation surveys and market data, CISM holders in the United States earn:

• Median total compensation: $156,000–$170,000
• Senior/director level: $180,000–$191,000+
• Salary premium over uncertified peers: $25,000–$35,000

The CISM premium is driven by the scarcity of qualified security managers. Technical talent is plentiful; people who can govern a security program, communicate risk to a board, and align security investments with business strategy are not.

CISA Salary Data

CISA holders typically earn:

• Median total compensation: $120,000–$145,000
• Senior auditor / IT audit manager: $145,000–$165,000
• Big Four or major consulting: can reach $170,000+ with seniority

The CISA salary floor is lower — entry-level IT auditor roles are well-compensated but don't match security manager salaries. However, CISA holders in Big Four consulting, or those who move into CISO roles using their audit background, can close or exceed the gap over time.

Career Paths: CISM vs CISA

Where CISM Takes You

The CISM is explicitly designed as a leadership credential. Roles that typically list CISM as required or preferred:

• Chief Information Security Officer (CISO)
• VP / Director of Information Security
• Information Security Manager
• Security Program Manager
• IT Risk Manager
• Security Consultant (management-focused)

CISM also appears frequently in government and defense roles where the combination of management depth and security governance is valued. If your five-year goal is to lead a security organization, CISM is the clearer path.

Where CISA Takes You

CISA is the gold standard for IT audit roles across industries, but especially in financial services, healthcare, and public accounting:

• IT Auditor / Senior IT Auditor
• IT Audit Manager / Director
• Compliance Manager / Director
• GRC (Governance, Risk, Compliance) Manager
• Internal Controls Manager
• Information Systems Auditor (Big Four, regional firms)
• SOX Compliance Lead

CISA holders in public accounting often earn less at entry level but benefit from career flexibility — audit experience transfers across industries, and CISA holders frequently pivot to internal security roles, compliance leadership, or CISO positions later in their careers.

The 2026 CISSP Waiver Factor

On April 1, 2026, ISC2 is updating its CISSP experience waiver list — cutting it from approximately 50 certifications down to 25. The CISM is retained on the new list. The CISA is removed.

This matters for two reasons:

1. Immediate practical impact: If you hold a CISA and plan to use it to waive one year of CISSP experience, you need to submit your CISSP endorsement before April 1, 2026. After that date, CISA no longer counts. CISM holders face no such deadline — CISM continues to count as one year of CISSP experience waiver indefinitely.

2. Signal about credential positioning: ISC2 retaining CISM on their waiver list while removing CISA reflects how they view the two credentials relative to broad security competency. CISM's management and governance depth aligns more closely with what CISSP tests across its eight domains. CISA's narrower audit focus makes it less complementary to the CISSP framework.

CISM or CISA First? A Decision Framework

Most professionals will pursue one before the other. Here's how to decide:

Get CISM First If:

• You're currently in a security management or program leadership role
• Your five-year goal is CISO or VP of Security
• You already have the three years of IS management experience required
• You want to pursue CISSP and need a waiver credential (CISM qualifies; CISA no longer will)
• Your organization needs someone who can build and govern a security program
• You're in a CISM vs CISSP or CISM vs CRISC decision tree and leaning management

Get CISA First If:

• You're currently working in IT audit, compliance, or internal controls
• Your organization values or requires an IT audit credential
• You're at a Big Four or consulting firm where CISA is the standard
• You have more audit experience than security management experience
• Your career path runs through GRC before moving to security leadership

If You Have Both Roles Available

Many security professionals will eventually want both credentials. In that case, the conventional wisdom is to start with whichever aligns with your current role — it's far easier to study for an exam you're living every day. If you're doing security management work, CISM content is immediately applicable. If you're doing audit work, CISA is.

Can You Get Both CISM and CISA?

Yes — and many security leaders eventually do. CISM + CISA is a powerful combination for CISO-level roles, particularly at financial institutions, healthcare organizations, and large enterprises where both operational security leadership and compliance/audit credibility are valued.

The overlap in content (both cover IT governance, risk management, and some aspects of incident management) means studying for one will give you a head start on the other. Candidates who hold CISM often report that CISA's governance and risk domains feel familiar, even though the audit methodology domains require fresh preparation.

Combined with a CISSP, the CISM + CISA pairing covers technical breadth (CISSP), security management depth (CISM), and audit/assurance competency (CISA) — the full toolkit for a senior security executive role.

Frequently Asked Questions

Is CISM harder than CISA?

Neither is consistently harder — it depends on your background. Candidates with technical security backgrounds often find CISM harder because it requires suppressing the technical instinct in favor of management thinking. Candidates without audit experience typically find CISA harder. Both have similar estimated pass rates of 50–65%.

Does CISM or CISA pay more?

CISM holders typically earn more — $156,000–$191,000 vs $120,000–$165,000 for CISA holders. The gap reflects the salary premium on security leadership roles vs audit/compliance roles. At senior levels (VP, Director, CISO), the gap narrows.

Can I get CISM without CISA?

Yes, and most CISM holders don't have CISA. The certifications are independent credentials with separate experience requirements. You don't need CISA as a prerequisite for CISM.

Is CISA still worth getting after the 2026 CISSP waiver change?

Absolutely. The CISSP waiver change only affects one narrow use case (substituting CISA for one year of CISSP experience). CISA remains the gold standard for IT audit roles globally, and its career value in compliance, GRC, and audit functions is unchanged.

Which is better for a CISO track?

CISM is more directly aligned with CISO preparation. That said, many successful CISOs hold CISA as well — especially those who came up through internal audit or compliance roles. For the CISO track, prioritize CISM, then consider adding CISA for board-level audit committee credibility.

How long does each exam take to prepare for?

Most candidates report 3–4 months of structured study for CISM (roughly 200–300 hours). CISA is similar — 3–4 months for experienced IT professionals, potentially longer for those new to audit methodology. See our CISM 12-week study plan for a structured approach.

Is CISM or CISA more recognized internationally?

Both are globally recognized through ISACA's international presence. CISA has a longer history (since 1978) and may be slightly better known in Europe and Asia-Pacific audit circles. CISM has rapidly grown in recognition since its 2002 launch and is now equally prominent in security management circles worldwide.

The Bottom Line

CISM and CISA are both excellent credentials — but they answer different questions. CISM proves you can run a security program. CISA proves you can evaluate one. Your current role, your five-year career goal, and your experience base should make the choice clear.

If you're on the management track, CISM completes the ISACA certification cluster alongside CRISC and CISSP. If you're on the audit track, CISA is your home base credential before moving toward CISM or CISSP later.

One more factor worth weighting: with the April 2026 CISSP waiver change keeping CISM and dropping CISA, ISC2 has effectively endorsed CISM as the more broadly applicable security credential. If you're planning a CISSP in your future, CISM is the strategically smarter ISACA credential to hold.

Related Guides

Also studying for a different certification? Compare resources at CCSP.app (cloud security) and CISSP.app (broad security management).