Both CISM and CRISC are issued by ISACA. Both cover risk. Both sit on the same scale — 150 questions, 4 hours, a passing score of 450. And yet they send careers in noticeably different directions.
CISM is a management credential. It asks you to govern an information security program, report to the board, and own the incident response lifecycle. CRISC is a risk credential. It asks you to identify, assess, respond to, and monitor IT risk at the operational and enterprise level — often as the person enabling the manager above you.
The question most professionals ask is: which should I get first? The answer depends almost entirely on your current experience and where you want to land in the next three to five years. This guide breaks it down.
📋 In This Guide
Quick Comparison: CISM vs CRISC
CISM
- Full NameCertified Information Security Manager
- FocusSecurity governance & program management
- Questions150 (4 hours)
- Passing Score450 / 800
- Experience5 years IS, 3 in management
- Exam Fee$575 (member) / $760 (non-member)
- Domains4 (Governance, Risk, Program, Incident)
- Typical RoleCISO, Security Director, IS Manager
- Avg Salary$130K–$190K+
CRISC
- Full NameCertified in Risk & Info Systems Control
- FocusIT risk management & controls
- Questions150 (4 hours)
- Passing Score450 / 800
- Experience3 years across 2+ domains
- Exam Fee$519 (member) / $649 (non-member)
- Domains4 (Governance, Risk Assessment, Risk Response, Technology)
- Typical RoleIT Risk Manager, GRC Analyst, Risk Consultant
- Avg Salary$100K–$155K
What Is CISM?
The Certified Information Security Manager (CISM) is ISACA's flagship credential for professionals who manage, design, and oversee enterprise information security programs. Launched in 2002, it's earned a reputation as one of the most respected management-level certifications in the field — consistently ranking among the highest-paying IT certifications globally.
CISM is deliberately managerial. The exam doesn't ask you to configure firewalls or write Python scripts. It asks you how you'd govern a security program, present risk to the board, align controls with business objectives, and manage the aftermath of a data breach. You're thinking like a CISO, not a security engineer.
This orientation makes CISM particularly valuable for professionals in — or aiming for — titles like:
- Chief Information Security Officer (CISO)
- Director of Information Security
- Information Security Manager
- VP of Cybersecurity
- Security Governance Lead
CISM's experience requirement reflects its management positioning: you need five years of information security work experience, with at least three of those years in security management roles. This is the steepest requirement of any ISACA credential. If you're earlier in your career, that's where CRISC becomes relevant.
See our full CISM exam format guide and CISM experience requirements breakdown for more detail.
What Is CRISC?
The Certified in Risk and Information Systems Control (CRISC) is ISACA's risk-specialist credential. Launched in 2010, it targets professionals who identify, assess, evaluate, and respond to IT risk — and who implement and monitor the information systems controls that mitigate it.
CRISC sits at the intersection of risk management and IT operations. It's the certification you earn when your job is to translate technical risk into business language, build risk registers, design control frameworks, and report risk posture to leadership. You're the risk expert that CISMs rely on.
The exam was updated in 2023 with slightly revised domain weights — IT Risk Assessment increased from 20% to 22%, while Technology and Security decreased from 22% to 20%. The four domains remain:
- Domain 1 – Governance (26%): Risk governance frameworks, organizational structure, risk appetite, policies
- Domain 2 – IT Risk Assessment (22%): Risk identification, scenario analysis, threat modeling, vulnerability assessment
- Domain 3 – Risk Response and Reporting (32%): Risk treatment, control design, key risk indicators, risk reporting
- Domain 4 – Information Technology and Security (20%): Emerging tech risks, cloud, third-party risk, security architecture
CRISC's experience barrier is lower than CISM's: three years of work experience across at least two CRISC domains, with at least one year in Domain 1 (Governance) or Domain 2 (IT Risk Assessment). No management experience is required — which makes it accessible to mid-career professionals still working as individual contributors.
Exam Format & Structure
This is where CISM and CRISC are nearly identical. Both exams are:
- 150 questions — multiple-choice, scenario-based
- 4 hours to complete
- 450 passing score on an 800-point scale
- Delivered at Pearson VUE testing centers (or remotely)
- Available on-demand — no fixed testing windows
The critical thing to understand about the 450 score: it's not a percentage. ISACA uses a scaled scoring system where 200 is the lowest possible score and 800 is the highest. The 450 threshold maps to roughly 60–65% of questions answered correctly — but the exact number varies because difficult questions are weighted more heavily than easy ones. This is the same scoring model across all ISACA exams.
CISM maintenance requires 20 CPE hours per year and 120 total over the 3-year renewal cycle. CRISC has the same requirements. Both charge a $45/year annual maintenance fee (for ISACA members).
Experience Requirements: The Key Differentiator
Experience requirements are the most practically important difference between these two certifications — and the primary reason many professionals pursue CRISC first.
CISM Experience
- Total Required5 years in information security
- Management Requirement3 of those 5 years must be in management roles
- Lookback WindowMust be within the last 10 years
- Application DeadlineSubmit within 5 years of passing
- Waivers Available?Yes — degree waivers reduce requirement by 1–2 years
CRISC Experience
- Total Required3 years in IT risk management / controls
- Management RequirementNone — individual contributor experience counts
- Domain CoverageMust span at least 2 CRISC domains
- Required DomainsAt least 1 year in Domain 1 or Domain 2
- Application DeadlineSubmit within 5 years of passing
The practical implication: a security analyst with 3–4 years of experience in risk, audit, or GRC functions can likely qualify for CRISC today. The same person probably can't qualify for CISM yet — they need more time and a move into a management role first.
This isn't a knock on CRISC. It's the right tool for the right career stage. Earning CRISC while you're building toward a management role actually helps you get there faster, since it validates your risk expertise to hiring managers looking to promote someone into leadership.
Domains Side-by-Side
Both certifications cover four domains, and there's meaningful overlap — both touch risk management, governance frameworks, and controls. But the orientation is different.
CISM Domains
- Domain 1 – Information Security Governance (17%): Establishing and maintaining a security governance framework aligned to business strategy
- Domain 2 – Information Risk Management (20%): Identifying, analyzing, and mitigating information risk to acceptable levels
- Domain 3 – Information Security Program Development and Management (33%): Building, managing, and maintaining the enterprise security program
- Domain 4 – Information Security Incident Management (30%): Developing and managing incident response and recovery capabilities
CRISC Domains
- Domain 1 – Governance (26%): Risk governance frameworks, policies, organizational risk culture, compliance
- Domain 2 – IT Risk Assessment (22%): Identifying and assessing IT risk using qualitative and quantitative methods
- Domain 3 – Risk Response and Reporting (32%): Treating risk through controls, KRIs, risk treatment options, reporting to stakeholders
- Domain 4 – Information Technology and Security (20%): Emerging technology risks, cloud security, third-party risk, security architecture
Cost Comparison
ISACA membership pays off if you're planning to earn multiple certifications. Annual membership costs approximately $135 for a standard membership, and the exam fee discounts alone make it worthwhile for most candidates.
CISM Total Cost
- ISACA Membership (optional)~$135/year
- Exam Fee (member)$575
- Exam Fee (non-member)$760
- Certification Application$50
- Annual Maintenance$45/year (member)
- Study Materials$200–$600
- Year 1 Total (member)~$1,000–$1,400
CRISC Total Cost
- ISACA Membership (optional)~$135/year
- Exam Fee (member)$519
- Exam Fee (non-member)$649
- Certification Application$50
- Annual Maintenance$45/year (member)
- Study Materials$150–$500
- Year 1 Total (member)~$850–$1,250
If you're planning to pursue both, becoming an ISACA member before sitting either exam is an easy financial win. The membership pays for itself on the first exam. See our full CISM certification cost breakdown for a complete 3-year investment analysis, including renewal CPE costs and employer reimbursement strategies.
Salary & Career Impact
Both certifications deliver meaningful salary premiums — but they operate at different levels of the compensation ladder, reflecting the different seniority of the roles they target.
CISM Salary
CISM is one of the highest-paid certifications in information technology globally. ISACA's own compensation surveys consistently rank it in the top three. Certified professionals in the US typically earn:
- Information Security Manager: $110,000–$150,000
- Director of Information Security: $150,000–$190,000
- CISO: $180,000–$250,000+ (varies widely by company size)
CRISC Salary
CRISC-certified professionals earn strong compensation, particularly in financial services, healthcare, and consulting where formal risk governance is a regulatory requirement:
- IT Risk Analyst / GRC Analyst: $85,000–$115,000
- IT Risk Manager: $110,000–$145,000
- Risk & Compliance Lead: $120,000–$155,000
- GRC Director: $140,000–$175,000
Job Roles Each Cert Targets
Understanding which job titles each certification is designed for helps you pick the right one for your current situation — and plan your next move.
CISM Is Best For
- Security managers and directors looking to formalize their credentials
- Professionals on the CISO track who need governance expertise
- IT managers transitioning into dedicated information security leadership
- Consultants advising enterprises on security program design
- Professionals who already hold CISSP and want a pure management certification (see CISM vs CISSP comparison)
CRISC Is Best For
- IT risk analysts and GRC professionals formalizing their risk expertise
- IT auditors who want to expand into risk management
- Security professionals in regulated industries (banking, healthcare, insurance)
- Risk consultants and advisors at professional services firms
- Mid-career professionals looking to differentiate before moving into management
Which Should You Get First?
This is the core question. Here's a direct framework based on experience level and current role.
Get CRISC First If:
- Your current role involves risk assessment, control design, or compliance monitoring
- You work in or want to work in GRC, internal audit, or risk consulting
- You don't yet have 3 years of management experience (CISM requires it)
- You're in financial services, healthcare, or insurance — industries where CRISC is a recognized benchmark
- You want a faster path to certification — CRISC's experience bar is lower
Get CISM First If:
- You're already managing a security team or security program
- You're being considered for a CISO or Director-level position
- You already hold CISSP and want a second credential focused specifically on management (CISM complements CISSP well)
- You work in an organization where CISM is a listed requirement for promotion or new roles
CRISC → CISM: The Most Common Path
For professionals earlier in their careers, the CRISC → CISM sequence is genuinely logical. Here's why it works:
- CRISC is attainable now — 3 years experience, no management requirement
- CRISC study reinforces CISM prep — the risk management domains overlap significantly, so your CRISC knowledge carries forward
- CRISC accelerates the management move — holding CRISC makes you a more credible candidate for risk leadership roles that eventually qualify you for CISM
- Dual credentials stack well — CISM + CRISC together signal both strategic and operational depth
While preparing for CISM, also consider how the four CISM domains map to your existing risk experience. You'll likely find more overlap than you expect.
Can You Do Both?
Yes — and many security professionals do. ISACA actively encourages credential stacking, and both CISM and CRISC contribute to the same CPE cycle if you hold both (ISACA allows a single annual renewal process for multiple certifications).
The question is sequencing and timing. Attempting both simultaneously is generally not recommended — both exams require genuine domain knowledge and scenario-level reasoning that benefits from focused preparation. Most successful dual-credentialed professionals space them 12–18 months apart, using the first certification's study cycle to build a knowledge base that accelerates the second.
If you're planning both:
- Earn CRISC first while you're building toward management experience
- Use the CRISC study materials as a foundation for CISM risk management content
- Get ISACA membership before either exam — it covers both at the member rate
- When you sit for CISM, your CRISC CPE hours count toward the experience application
FAQ: CISM vs CRISC
Is CISM harder than CRISC?
Difficulty is subjective, but the consensus among professionals who've passed both leans toward CISM being more challenging. The management orientation of CISM can trip up candidates who naturally think in technical or operational terms — you must consistently choose the answer that's best for the business, even when a technically correct option is available. CRISC's focus on risk assessment and controls is more concrete, making it somewhat more intuitive for professionals already working in risk functions.
Does CRISC experience count toward CISM?
Yes. Experience earned in risk management, governance, or IT risk assessment roles — which forms the basis of CRISC experience — generally qualifies toward CISM's information security management experience requirement, particularly for Domain 2 (Information Risk Management). You'll need to document this carefully in your CISM application.
Can I list both CISM and CRISC on my resume?
Yes, and you should. They complement each other well and signal different strengths to hiring managers. CISM signals security leadership and governance capability; CRISC signals operational risk depth and control expertise. Together they cover the full risk-to-governance spectrum that senior security roles require.
Which has better ROI for an IT risk consultant?
CRISC typically has stronger direct ROI for risk consultants, particularly in the near term. It's the recognized benchmark for IT risk management in consulting environments, and many large firms (Big Four in particular) prioritize CRISC alongside CISA for their risk advisory practices. CISM adds value as you advance toward partner or managing director track.
Do employers prefer CISM or CRISC?
It depends on the role. Job postings for CISO, Security Director, and Security Manager positions most commonly list CISM. Postings for IT Risk Manager, GRC Lead, Risk Analyst, and IT Auditor roles most commonly list CRISC or CISA. If you're unsure which to pursue, search active job listings for your target role on LinkedIn and see which credential appears most frequently in the requirements.
How long does it take to prepare for each?
Most candidates report 60–120 hours of focused study for CRISC and 80–150 hours for CISM. Study time varies significantly based on how closely your work experience aligns with the exam content. Candidates with hands-on risk management experience often need less preparation for CRISC; candidates already in security management roles often find CISM requires less from scratch. A structured 12-week CISM study plan covers the material systematically without burnout.
Ready to Start Preparing?
Practice with thousands of expert-verified CISM and CISSP questions. AI-powered gap analysis tells you exactly where to focus.
Start Free 7-Day Trial →