TL;DR
- CISSP is the broad senior generalist cert. Best for security engineers, managers, and aspiring CISOs.
- CISM is the managerial cert. Best for people moving from technical into governance/management roles.
- CRISC is the risk cert. Best for risk analysts, third-party risk managers, and audit-adjacent professionals.
- CCSP is the cloud specialist. Best for security engineers focused on AWS / Azure / GCP / Kubernetes.
- If you can only get one: CISSP first. It opens the most doors. Add CCSP if cloud-focused, CISM if leaving technical work, CRISC if pivoting into pure risk/audit.
The side-by-side
| CISSP | CISM | CRISC | CCSP | |
|---|---|---|---|---|
| Issuer | ISC2 | ISACA | ISACA | ISC2 |
| Focus | Broad senior generalist | Security management | Risk & control | Cloud security |
| Experience req. | 5 yrs in 2+ of 8 domains | 5 yrs in 3+ of 4 domains | 3 yrs in 2+ of 4 domains | 5 yrs total IT, 3 in InfoSec, 1 in cloud |
| Exam length | 3 hrs, 100–150 Qs (CAT) | 4 hrs, 150 Qs | 4 hrs, 150 Qs | 3 hrs, 125 Qs |
| Exam fee (USD) | $749 | $760 (ISACA members), $1,000+ non-member | $760 / $1,000+ | $599 |
| Annual maintenance fee | $135 | $45 (member) / $85 (non-member) | same as CISM | $125 |
| CPE requirement | 120 / 3 yrs | 120 / 3 yrs | 120 / 3 yrs | 90 / 3 yrs |
| Difficulty (community consensus) | High - broad | Medium - narrow management focus | Medium-High - quantitative risk-heavy | Medium-High - cloud-deep |
| Typical salary lift (US) | +25% | +18–22% | +15–20% | +15–22% |
CISSP - the broad generalist
The most-asked-for certification on senior cybersecurity job listings. The CISSP signals that you can think strategically AND understand technical depth across eight different domains. It's required on most CISO postings; it's strongly preferred on senior security engineer postings; it's a tiebreaker on most mid-level GRC postings.
Best for: Security engineers, technical leaders, managers, and people targeting CISO-track roles. If you don't know which cert to get, CISSP is the default answer.
Worth it if: You have 5+ years of cyber-adjacent experience and want to move into a senior IC or first-line management role.
Not worth it if: You're less than 3 years into the field. Take CompTIA Security+ first; CISSP without operational context is brutal.
Detailed prep guides: How to pass the CISSP · 90-day study plan · 8 CBK domains explained.
CISM - the management cert
Where CISSP teaches you the full security profession, CISM teaches you to manage one. The ISACA Certified Information Security Manager focuses on four management-heavy domains:
- Information Security Governance
- Information Security Risk Management
- Information Security Program
- Incident Management
Best for: People moving from individual contributor into management - security managers, BISOs, deputy CISOs, head-of-security roles. The CISM signals you can think in budgets, headcount, board reports, and risk appetite.
Worth it if: You already have CISSP or strong technical experience AND you're actively moving into management.
Not worth it if: You're purely technical and have no plans to manage people or programs. CISSP covers the same management material at a higher level.
CRISC - the risk cert
CRISC sits at the intersection of cybersecurity and enterprise risk management. The four domains are:
- IT Risk Identification
- IT Risk Assessment
- Risk Response and Reporting
- Information Technology and Security
Best for: Risk analysts, third-party risk managers, GRC professionals who spend most of their time on risk register work, audit professionals moving into IT risk, and consultants delivering risk programs.
Worth it if: Your day job is risk-centric, you're hired by a Big 4 or a bank, or you're moving into a Risk & Compliance leadership role.
Not worth it if: You don't actually do risk-treatment work day-to-day. CRISC questions reward operational risk fluency that's hard to fake.
CCSP - the cloud specialist
Co-issued by ISC2 and the Cloud Security Alliance. The 6 domains map directly to cloud-native security work:
- Cloud Concepts, Architecture, and Design
- Cloud Data Security
- Cloud Platform and Infrastructure Security
- Cloud Application Security
- Cloud Security Operations
- Legal, Risk, and Compliance
Best for: Security engineers whose work is dominantly AWS / Azure / GCP / Kubernetes. Cloud security architects. DevSecOps practitioners moving into security leadership.
Worth it if: You already have CISSP or strong cloud experience AND your roadmap stays in cloud-adjacent roles.
Not worth it if: Your work is on-prem-heavy. Cloud-vendor-specific certs (AWS Security Specialty, AZ-500) are often more valuable signals to cloud-specialist employers than CCSP.
Which to get FIRST if you can only get one
For most people, the answer is CISSP. It's the most-asked-for, opens the most doors, and its breadth means it stays relevant even as your role evolves.
The exceptions:
- You're moving from non-IT into security management: CISM first. The management domains are closer to your existing skill set.
- You're a risk analyst or auditor by training: CRISC first. Same logic.
- You're an SRE or cloud platform engineer moving into security: CCSP and/or AWS Security Specialty first. Most cloud-security roles will respect those before CISSP if you have demonstrable cloud chops.
Which to get SECOND
The stacking order most candidates report as highest-ROI:
- CISSP → CCSP - if you're cloud-focused. CCSP overlaps CISSP's cloud questions but goes much deeper.
- CISSP → CISM - if you're moving into management. Some overlap with CISSP's Domain 1.
- CISSP → CRISC - if you're pivoting into pure GRC. Strong differentiation for risk-officer roles.
- CISSP → ISO 27001 Lead Auditor / Implementer - if you're going GRC + framework-heavy. Cheaper, faster, very employer-visible in EU markets.
Cost-benefit by career stage
Year 1–3 in security
None of these certs yet. Take CompTIA Security+, maybe Network+ if your network knowledge is weak. Spend the cert money on hands-on tools (TryHackMe, HackTheBox, vendor sandboxes).
Year 3–5
CISSP if you can document enough experience. Otherwise CompTIA CySA+, then CISSP at year 5.
Year 5–8
CISSP if you don't have it. Add a specialty: CCSP if cloud, CISM if going management, CRISC if going risk. CEH is mostly fluff at this stage; OSCP is far more respected for offensive roles.
Year 8+
CISSP plus 1–2 specialty certs is enough. Past this point, your work history matters more than additional letters. CISO-track candidates sometimes add a CGEIT (ISACA executive governance cert) or an MBA - both signal "board-ready."
Salary lift, real talk
The 25% number for CISSP gets thrown around a lot. The reality is messier:
- The cert itself doesn't magically add 25% to your base. What it does is move you into roles where the salary band starts 20–30% higher.
- The lift is realized over 12–24 months as you change roles. Staying in the same role and adding CISSP rarely changes your paycheck immediately.
- The lift varies enormously by country. US: 20–30%. UK: 15–20%. India: 30–40% (cert markets there are more credential-gated). Germany: 10–15% (German employers care more about Bildungsabschluss than certs).
Full salary data: CISSP Salary in 2026.
The certs we did NOT list (and why)
- OSCP - Excellent for offensive security roles. Not directly comparable to CISSP because OSCP is a hands-on cert for technical IC work, not a senior generalist signal.
- GIAC family (GSEC, GCIH, GPEN, GCFA, etc.) - Excellent technical depth, expensive, often expected at top US consultancies. Worth getting if your employer pays.
- CEH - Lost most of its credibility 2018–2024. Don't get this unless an employer specifically requires it.
- CompTIA Security+ - Excellent entry-level cert. Required for some DoD roles. Lower ceiling than CISSP - don't stop here if you're past 2 years in cyber.
- CIPP/CIPM/CIPT - Privacy-specific certs (IAPP). Worth it if you're in a DPO or privacy-counsel track. Not comparable to CISSP.
- AWS Security Specialty / AZ-500 / GCP PSE - Vendor-specific cloud security certs. Often more valuable than CCSP for cloud-specialist roles.
Frequently asked questions
Can I get CISSP without CISM/CRISC first?
Yes - CISSP has no prerequisite certs. The only requirement is the 5 years of work experience.
Does CISM lose value if I already have CISSP?
Marginally. CISM's management content overlaps significantly with CISSP Domain 1. The added value is signaling to recruiters that you're actively management-tracked.
Is CCSP worth it if I have AWS Security Specialty?
Probably not, unless your roadmap includes multi-cloud (AWS + Azure + GCP) work. Single- vendor certs are usually a stronger signal to cloud-specialist hiring managers.
Can I get both CISSP and CISM in a year?
Possible, ambitious. You'd study CISSP for 90 days, take the exam, then ~60 days of delta study for CISM (heavy overlap on Domain 1 material). Most people who try this end up taking longer than planned for CISSP, then deferring CISM.
Next steps
- Read the full CISSP guide if you've decided on CISSP.
- Pick the 90-day plan to set a timeline.
- When you pass, browse GRC jobs, cloud security jobs, or US cyber jobs.
Related guides
SOC Analyst Salary in 2026: Pay by Tier, Country, and How to Earn More
A data-driven look at SOC analyst pay in 2026 - US bands by tier, salaries across eight countries, remote vs o…
6 min read
Security Engineer Salary in 2026: Pay by Level, Country, and Skill
What security engineers really earn in 2026 - mid vs senior/staff/principal, pay by country, remote effects, a…
7 min read
Penetration Tester Salary in 2026: Junior to Red-Team Lead, by Country
What penetration testers earn in 2026 - junior vs senior vs red-team lead, consultancy vs in-house, pay by cou…
7 min read