CISA vs CISM: Which Certification Is Right for Your Career?
A detailed comparison of ISACA's two flagship certifications to help you choose the path that aligns with your career goals.
Quick answer: CISA or CISM — which one first?
- Pick CISA if you audit, assess, or verify IT systems and want to grow into IT audit leadership, SOX IT testing, or external IS audit roles.
- Pick CISM if you design, build, or manage security programs and want to grow into a CISO, security director, or IT risk management role.
- Pick both if you're aiming for CIO/CISO leadership at a publicly listed company — most CISOs in North America hold both, and the second cert adds roughly $15,000–$25,000 of salary lift on top of the first.
The rest of this article is the detailed comparison: exam structure, costs, salary data, decision matrix, and the stacking strategy senior leaders actually use.
What CISA and CISM actually are
Both certifications are issued by ISACA, the global professional association for IT governance, audit, and security. They are the two most-cited ISACA credentials on LinkedIn job postings for senior IT-adjacent roles, and they have very different jobs.
CISA — Certified Information Systems Auditor
The CISA validates that the holder can plan, perform, and report on information systems audits. It is the credential auditors hold when they evaluate whether IT systems and the controls around them are doing what they're supposed to do.
Established: 1978. Held by 170,000+ professionals worldwide (ISACA, 2026).
Best for: IT auditors, IS compliance officers, control analysts, IT governance specialists, external auditors doing IT controls work, SOX IT specialists.
CISM — Certified Information Security Manager
The CISM validates that the holder can design, build, and manage an enterprise information security program. It is the credential security managers hold when they own the strategy and operation of a program, not just the testing of it.
Established: 2002. Held by 70,000+ professionals worldwide (ISACA, 2026).
Best for: Information security managers, CISOs, security program directors, IT risk managers, GRC leaders moving into security ownership roles.
CISA vs CISM at a glance
| Dimension | CISA | CISM |
|---|---|---|
| Issuer | ISACA | ISACA |
| Year established | 1978 | 2002 |
| Holders worldwide (2026) | ~170,000 | ~70,000 |
| Exam questions | 150 | 150 |
| Exam duration | 4 hours | 4 hours |
| Passing score | 450 / 800 | 450 / 800 |
| Experience required | 5 years IS audit, control, or security | 5 years IS, with 3 in security management |
| Exam fee (members, 2026) | $575 | $575 |
| Exam fee (non-members, 2026) | $760 | $760 |
| Annual maintenance fee | $45 (member) / $85 (non-member) | $45 / $85 |
| CPE required per year | 20 hours | 20 hours |
| Average US salary (2026) | ~$125,000 | ~$135,000 |
| Career arc | IT audit → audit director → CAE | Security manager → CISO |
The four CISA exam domains (2026)
The CISA exam has been structured around the same five (now four, post-2023 update) domains:
| Domain | Weight | Focus |
|---|---|---|
| Information Systems Auditing Process | 18% | Planning, execution, evidence, reporting |
| Governance and Management of IT | 18% | IT strategy, structures, resource management |
| Information Systems Acquisition, Development & Implementation | 12% | SDLC, project management, post-implementation review |
| Information Systems Operations and Business Resilience | 26% | Operations, business continuity, disaster recovery |
| Protection of Information Assets | 26% | Identity, access, network, encryption, incident response |
CISA rewards depth in operations and information protection — the two largest domains together cover 52% of the exam.
The four CISM exam domains (2026)
CISM was redesigned in 2022 to better reflect modern security management. The current four-domain structure:
| Domain | Weight | Focus |
|---|---|---|
| Information Security Governance | 17% | Strategy, organizational culture, board reporting |
| Information Security Risk Management | 20% | Risk identification, analysis, response |
| Information Security Program | 33% | Program design, build, operate |
| Incident Management | 30% | Preparation, detection, response, recovery |
CISM rewards depth in program and incident management — 63% of the exam. The CISM is much more about the build-and-run of a security program than the testing of it.
Salary data: 2026 benchmarks
Salary varies by region, industry, and tenure. Below are 2026 benchmarks from Robert Half, Glassdoor, and ISACA's own salary survey (US figures, USD).
| Role | No cert | CISA | CISM | CISA + CISM |
|---|---|---|---|---|
| IT Auditor (mid) | $85,000 | $105,000 | — | $115,000 |
| Senior IT Auditor | $105,000 | $125,000 | $130,000 | $145,000 |
| IT Audit Manager | $125,000 | $145,000 | $150,000 | $170,000 |
| Information Security Manager | $130,000 | $135,000 | $155,000 | $170,000 |
| CISO (mid-cap) | $200,000 | $215,000 | $235,000 | $250,000+ |
- CISA adds more salary at the audit end of the spectrum.
- CISM adds more salary at the security-management end.
- Holding both adds a meaningful premium at every senior level — typically $15,000–$25,000 over either alone.
Which one first? A decision matrix
If you're still uncertain, this matrix usually resolves the question:
| Your current situation | Pick first |
|---|---|
| External auditor or accounting firm IT specialist | CISA |
| Internal auditor doing IT walkthroughs | CISA |
| SOC analyst or security engineer | CISM |
| Security manager / program lead | CISM |
| GRC analyst (compliance, no audit) | CISA then CISM |
| Consultant doing security advisory | CISM |
| New graduate, undecided | CISA (broader career optionality) |
| Targeting CISO within 3 years | CISM |
The stacking strategy senior leaders actually use
Among CISOs and CAEs at US-listed public companies, the credential combinations we see most often (LinkedIn data, n=512 profiles, 2025):
- 1CISA + CISM — 41% of profiles. The default ISACA stack for IT-adjacent leadership.
- 2CISA + CIA — 22%. Common at companies where the audit function owns IT audit.
- 3CISM + CISSP — 19%. The security-first stack for CISO-track candidates.
- 4CISA + CISM + CRISC — 11%. The full ISACA stack, common at financial services.
- 5Single cert — 7%. Tends to be earlier-career or specialist roles.
The dominant pattern: a CISA establishes the audit/assurance backbone, and CISM (or CISSP, or CRISC) adds the specialization. Few senior leaders we tracked held only one credential past the 12-year mark.
How long it takes to prepare
| Cert | Hours (with IT background) | Hours (without) |
|---|---|---|
| CISA | 120–180 | 200–280 |
| CISM | 100–150 | 180–250 |
CISM tends to be slightly faster for candidates who have actually managed a security program; slightly slower for pure auditors who need to build management context.
How AI is changing prep for ISACA certs
The 2026 ISACA exam is significantly harder to game than 2018-era exam banks. ISACA now rotates questions aggressively across exam windows and uses adaptive item selection within sittings.
This makes adaptive preparation (AI-tuned to your weakest domains) more valuable than ever:
- ISACA-aligned domain heat-mapping after every practice session
- AI-generated questions in your weakest sub-domains, calibrated to actual exam difficulty
- Real-time concept explanation when you get a question wrong
- Spaced-repetition flashcards for the heavy memorization (ISACA glossary, control objectives)
NexusGRC Academy's ISACA preparation tracks for both CISA and CISM use this approach. Adaptive AI-driven prep consistently outperforms traditional methods against ISACA's published global averages of approximately 50% for both.
Frequently asked questions
Is CISM harder than CISA?
For most candidates: CISM is harder if you're a pure auditor, because it tests strategy and program design that you don't see day-to-day. CISA is harder if you're a pure security engineer, because it tests audit methodology you haven't practiced. Difficulty is relative to your background.
Can I take CISA and CISM in the same year?
Yes. ISACA allows you to register for multiple exams in the same window. Many candidates take CISA first and CISM 4–6 months later. The cross-domain overlap (about 25%) makes the second exam cheaper in study hours.
Do I need work experience before sitting the exam?
- CISA: 5 years of IS audit, control, or security experience (with substitution credits available)
- CISM: 5 years of IS experience, of which 3 must be in security management specifically
The experience can be earned within 5 years before or 10 years after passing the exam.
How does CISA compare to CIA?
CISA is IT-focused; CIA is general internal audit. They overlap on audit methodology and Standards-adjacent topics. Many senior auditors hold both. See our Best GRC Certifications 2026 ranking for the broader picture.
Is CISM worth it if I already have a CISSP?
Yes, if your role is management-track. CISSP is broader and more technical; CISM is narrower and more management/governance-focused. The combination is the most common credential stack for CISOs at large enterprises.
Will AI replace IT auditors and security managers?
No, but it will absorb the spreadsheet layer of both jobs. See our essay AI Doesn't Replace the Auditor; It Replaces the Spreadsheet for the longer argument.
Verdict
Choose CISA if you enjoy detailed technical auditing, want maximum career optionality, or work for an auditor (external or internal).
Choose CISM if you prefer strategic security management, program oversight, or you can already see a CISO seat on your career horizon.
Stack both if you're committed to senior IT-adjacent leadership. The combination consistently outperforms either alone in salary, optionality, and the only metric that matters long-term — the seat you sit in at the company you work for.