CRISC vs CISM: Which Certification Should You Pursue?

Understanding the Certifications

ISACA offers two premier certifications that often cause confusion among professionals: CRISC (Certified in Risk and Information Systems Control) and CISM (Certified Information Security Manager). While both are highly respected, they target different career trajectories.

CRISC - Certified in Risk and Information Systems Control

CRISC focuses on IT risk identification, assessment, response, and monitoring. It's designed for professionals who manage enterprise IT risk programmes and bridge the gap between IT and business risk perspectives.

CISM - Certified Information Security Manager

CISM focuses on information security programme development and management. It's designed for professionals leading security teams, developing security strategies, and managing security operations.

Domain Comparison

CRISC Domains (2024)

Domain 1 - Governance (26%): IT risk governance, risk appetite, organisational culture
Domain 2 - IT Risk Assessment (20%): Risk identification, analysis, and evaluation
Domain 3 - Risk Response and Reporting (32%): Risk treatment, monitoring, and communication
Domain 4 - Information Technology and Security (22%): IT concepts, security principles, and controls

CISM Domains (2024)

Domain 1 - Information Security Governance (17%): Strategy, policies, and organisational alignment
Domain 2 - Information Security Risk Management (20%): Risk assessment and treatment
Domain 3 - Information Security Programme (33%): Programme development, management, and resources
Domain 4 - Incident Management (30%): Detection, response, recovery, and lessons learned

CRISC emphasises risk management across IT systems with a broader enterprise view, whilst CISM focuses on managing security programmes and teams. CRISC is broader in risk scope; CISM is deeper in security management.

Experience Requirements

CRISC Requirements

Minimum 3 years of cumulative work experience
Experience must be in at least 2 of the 4 CRISC domains
Experience must be gained within 10 years of application
Can sit exam before meeting experience requirements (5-year window to qualify)

CISM Requirements

Minimum 5 years of information security management experience
Experience must be in at least 3 of the 4 CISM domains
Up to 2 years can be waived with qualifying credentials (CISA, CISSP, etc.)
Can sit exam before meeting experience requirements (5-year window to qualify)

Career Paths and Roles

CRISC is Ideal For:

IT Risk Managers and Analysts
Enterprise Risk Management professionals
IT Auditors transitioning to risk management
Compliance Officers with IT focus
Business Continuity professionals
Control Assurance specialists
GRC Consultants

CISM is Ideal For:

Information Security Managers
Chief Information Security Officers (CISOs)
Security Programme Directors
IT Directors with security responsibilities
Security Consultants and Advisors
Security Operations leaders
Security Architects moving into management

Exam Details

Both exams share similar formats:

150 multiple-choice questions
4 hours duration
Scaled score of 450 to pass (200-800 scale)
Available year-round at PSI testing centres
Remote proctoring option available
Exam fee approximately £575 for ISACA members

Salary and Market Demand

Both certifications command strong salaries in the UK market:

CRISC holders: £65,000 - £95,000 average (risk-focused roles)
CISM holders: £70,000 - £120,000 average (security management roles)

CISM typically commands higher salaries due to its management focus and the seniority of roles it targets. However, CRISC is increasingly valuable as organisations prioritise enterprise risk management and regulatory compliance.

Which Should You Choose?

Choose CRISC If:

You work primarily in risk management or GRC
Your role involves risk assessment and control design
You want to bridge IT and business risk perspectives
You have 3+ years of relevant experience
You're interested in enterprise risk management
You work closely with audit and compliance functions

Choose CISM If:

You manage or aspire to manage security teams
Your focus is security programme development
You're targeting CISO or security director roles
You have 5+ years of security management experience
You want to demonstrate security leadership capability
You're responsible for incident response programmes

Many senior professionals hold both certifications. CRISC and CISM complement each other well—CRISC provides the risk foundation whilst CISM demonstrates security management expertise. Consider pursuing both over time.

Preparation Strategies

Study Resources

ISACA Review Manuals: Official study guides for each certification
ISACA QAE Database: Practice questions from ISACA (essential)
Review Courses: Instructor-led or self-paced options from accredited providers
Study Groups: ISACA chapter study groups and online communities

Preparation Timeline

Most candidates require 3-6 months of dedicated study:

Months 1-2: Read the review manual thoroughly, understand all domains
Months 3-4: Practice questions extensively, identify weak areas
Month 5: Focused review of weak areas, full practice exams
Month 6: Final review, exam simulation, and scheduling

Maintaining Your Certification

Both certifications require ongoing professional education:

20 CPE hours annually (minimum)
120 CPE hours over 3-year certification period
Annual maintenance fee to ISACA (approximately £85)
Adherence to ISACA Code of Professional Ethics
CPE activities include training, conferences, publishing, and teaching

Conclusion

Both CRISC and CISM are valuable certifications that demonstrate expertise in their respective domains. Your choice should align with your career goals: CRISC for risk management focus, CISM for security management leadership.

Consider your current role, target positions, and experience level. If you're early in your career, CRISC's lower experience requirement may be more accessible. If you're targeting senior security leadership, CISM is often the expected credential.