TL;DR
- CISSP is the broad senior generalist cert. Best for security engineers, managers, and aspiring CISOs.
- CISM is the managerial cert. Best for people moving from technical into governance/management roles.
- CRISC is the risk cert. Best for risk analysts, third-party risk managers, and audit-adjacent professionals.
- CCSP is the cloud specialist. Best for security engineers focused on AWS / Azure / GCP / Kubernetes.
- If you can only get one: CISSP first. It opens the most doors. Add CCSP if cloud-focused, CISM if leaving technical work, CRISC if pivoting into pure risk/audit.
The side-by-side
| ย | CISSP | CISM | CRISC | CCSP |
|---|---|---|---|---|
| Issuer | ISC2 | ISACA | ISACA | ISC2 |
| Focus | Broad senior generalist | Security management | Risk & control | Cloud security |
| Experience req. | 5 yrs in 2+ of 8 domains | 5 yrs in 3+ of 4 domains | 3 yrs in 2+ of 4 domains | 5 yrs total IT, 3 in InfoSec, 1 in cloud |
| Exam length | 3 hrs, 100โ150 Qs (CAT) | 4 hrs, 150 Qs | 4 hrs, 150 Qs | 3 hrs, 125 Qs |
| Exam fee (USD) | $749 | $760 (ISACA members), $1,000+ non-member | $760 / $1,000+ | $599 |
| Annual maintenance fee | $135 | $45 (member) / $85 (non-member) | same as CISM | $125 |
| CPE requirement | 120 / 3 yrs | 120 / 3 yrs | 120 / 3 yrs | 90 / 3 yrs |
| Difficulty (community consensus) | High โ broad | Medium โ narrow management focus | Medium-High โ quantitative risk-heavy | Medium-High โ cloud-deep |
| Typical salary lift (US) | +25% | +18โ22% | +15โ20% | +15โ22% |
CISSP โ the broad generalist
The most-asked-for certification on senior cybersecurity job listings. The CISSP signals that you can think strategically AND understand technical depth across eight different domains. It's required on most CISO postings; it's strongly preferred on senior security engineer postings; it's a tiebreaker on most mid-level GRC postings.
Best for: Security engineers, technical leaders, managers, and people targeting CISO-track roles. If you don't know which cert to get, CISSP is the default answer.
Worth it if: You have 5+ years of cyber-adjacent experience and want to move into a senior IC or first-line management role.
Not worth it if: You're less than 3 years into the field. Take CompTIA Security+ first; CISSP without operational context is brutal.
Detailed prep guides: How to pass the CISSP ยท 90-day study plan ยท 8 CBK domains explained.
CISM โ the management cert
Where CISSP teaches you the full security profession, CISM teaches you to manage one. The ISACA Certified Information Security Manager focuses on four management-heavy domains:
- Information Security Governance
- Information Security Risk Management
- Information Security Program
- Incident Management
Best for: People moving from individual contributor into management โ security managers, BISOs, deputy CISOs, head-of-security roles. The CISM signals you can think in budgets, headcount, board reports, and risk appetite.
Worth it if: You already have CISSP or strong technical experience AND you're actively moving into management.
Not worth it if: You're purely technical and have no plans to manage people or programs. CISSP covers the same management material at a higher level.
CRISC โ the risk cert
CRISC sits at the intersection of cybersecurity and enterprise risk management. The four domains are:
- IT Risk Identification
- IT Risk Assessment
- Risk Response and Reporting
- Information Technology and Security
Best for: Risk analysts, third-party risk managers, GRC professionals who spend most of their time on risk register work, audit professionals moving into IT risk, and consultants delivering risk programs.
Worth it if: Your day job is risk-centric, you're hired by a Big 4 or a bank, or you're moving into a Risk & Compliance leadership role.
Not worth it if: You don't actually do risk-treatment work day-to-day. CRISC questions reward operational risk fluency that's hard to fake.
CCSP โ the cloud specialist
Co-issued by ISC2 and the Cloud Security Alliance. The 6 domains map directly to cloud-native security work:
- Cloud Concepts, Architecture, and Design
- Cloud Data Security
- Cloud Platform and Infrastructure Security
- Cloud Application Security
- Cloud Security Operations
- Legal, Risk, and Compliance
Best for: Security engineers whose work is dominantly AWS / Azure / GCP / Kubernetes. Cloud security architects. DevSecOps practitioners moving into security leadership.
Worth it if: You already have CISSP or strong cloud experience AND your roadmap stays in cloud-adjacent roles.
Not worth it if: Your work is on-prem-heavy. Cloud-vendor-specific certs (AWS Security Specialty, AZ-500) are often more valuable signals to cloud-specialist employers than CCSP.
Which to get FIRST if you can only get one
For most people, the answer is CISSP. It's the most-asked-for, opens the most doors, and its breadth means it stays relevant even as your role evolves.
The exceptions:
- You're moving from non-IT into security management: CISM first. The management domains are closer to your existing skill set.
- You're a risk analyst or auditor by training: CRISC first. Same logic.
- You're an SRE or cloud platform engineer moving into security: CCSP and/or AWS Security Specialty first. Most cloud-security roles will respect those before CISSP if you have demonstrable cloud chops.
Which to get SECOND
The stacking order most candidates report as highest-ROI:
- CISSP โ CCSP โ if you're cloud-focused. CCSP overlaps CISSP's cloud questions but goes much deeper.
- CISSP โ CISM โ if you're moving into management. Some overlap with CISSP's Domain 1.
- CISSP โ CRISC โ if you're pivoting into pure GRC. Strong differentiation for risk-officer roles.
- CISSP โ ISO 27001 Lead Auditor / Implementer โ if you're going GRC + framework-heavy. Cheaper, faster, very employer-visible in EU markets.
Cost-benefit by career stage
Year 1โ3 in security
None of these certs yet. Take CompTIA Security+, maybe Network+ if your network knowledge is weak. Spend the cert money on hands-on tools (TryHackMe, HackTheBox, vendor sandboxes).
Year 3โ5
CISSP if you can document enough experience. Otherwise CompTIA CySA+, then CISSP at year 5.
Year 5โ8
CISSP if you don't have it. Add a specialty: CCSP if cloud, CISM if going management, CRISC if going risk. CEH is mostly fluff at this stage; OSCP is far more respected for offensive roles.
Year 8+
CISSP plus 1โ2 specialty certs is enough. Past this point, your work history matters more than additional letters. CISO-track candidates sometimes add a CGEIT (ISACA executive governance cert) or an MBA โ both signal "board-ready."
Salary lift, real talk
The 25% number for CISSP gets thrown around a lot. The reality is messier:
- The cert itself doesn't magically add 25% to your base. What it does is move you into roles where the salary band starts 20โ30% higher.
- The lift is realized over 12โ24 months as you change roles. Staying in the same role and adding CISSP rarely changes your paycheck immediately.
- The lift varies enormously by country. US: 20โ30%. UK: 15โ20%. India: 30โ40% (cert markets there are more credential-gated). Germany: 10โ15% (German employers care more about Bildungsabschluss than certs).
Full salary data: CISSP Salary in 2026.
The certs we did NOT list (and why)
- OSCP โ Excellent for offensive security roles. Not directly comparable to CISSP because OSCP is a hands-on cert for technical IC work, not a senior generalist signal.
- GIAC family (GSEC, GCIH, GPEN, GCFA, etc.) โ Excellent technical depth, expensive, often expected at top US consultancies. Worth getting if your employer pays.
- CEH โ Lost most of its credibility 2018โ2024. Don't get this unless an employer specifically requires it.
- CompTIA Security+ โ Excellent entry-level cert. Required for some DoD roles. Lower ceiling than CISSP โ don't stop here if you're past 2 years in cyber.
- CIPP/CIPM/CIPT โ Privacy-specific certs (IAPP). Worth it if you're in a DPO or privacy-counsel track. Not comparable to CISSP.
- AWS Security Specialty / AZ-500 / GCP PSE โ Vendor-specific cloud security certs. Often more valuable than CCSP for cloud-specialist roles.
Frequently asked questions
Can I get CISSP without CISM/CRISC first?
Yes โ CISSP has no prerequisite certs. The only requirement is the 5 years of work experience.
Does CISM lose value if I already have CISSP?
Marginally. CISM's management content overlaps significantly with CISSP Domain 1. The added value is signaling to recruiters that you're actively management-tracked.
Is CCSP worth it if I have AWS Security Specialty?
Probably not, unless your roadmap includes multi-cloud (AWS + Azure + GCP) work. Single- vendor certs are usually a stronger signal to cloud-specialist hiring managers.
Can I get both CISSP and CISM in a year?
Possible, ambitious. You'd study CISSP for 90 days, take the exam, then ~60 days of delta study for CISM (heavy overlap on Domain 1 material). Most people who try this end up taking longer than planned for CISSP, then deferring CISM.
Next steps
- Read the full CISSP guide if you've decided on CISSP.
- Pick the 90-day plan to set a timeline.
- When you pass, browse GRC jobs, cloud security jobs, or US cyber jobs.
Related guides
How to Pass the CISSP Exam in 2026: A Realistic Guide
A complete, no-fluff guide to the CISSP exam in 2026 โ requirements, the 8 CBK domains, study time, materials,โฆ
11 min read
The CISSP 90-Day Study Plan (Without Burning Out)
A realistic 90-day CISSP study plan that fits around a full-time job โ week-by-week schedule, daily time budgeโฆ
9 min read
The 8 CISSP CBK Domains Explained (and How Hard Each One Actually Is)
A practical breakdown of all 8 CISSP CBK domains under the 2024 refresh โ what each covers, how much exam weigโฆ
13 min read