Are the CISA, CISM and CISSP Certifications Worth It?


These are considered among the top three certifications relating to security and information systems that are available. I passed, on my first attempts, the CISA and CISM in 2012 and had completed studying the CISSP, but hadn't yet taken it when I left this sort of work to become a founder and the CEO at Infinite AI.

Certification Acronym Explained

Certified Information Systems Auditor (CISA)

Certified Information Security Manager (CISM)

Certified Information Systems Security Professional (CISSP)

Target Material

The CISSP is focused on information security. The CISA is a mix of the CISSP/CISM, with a significant amount of auditing on top of it. The CISA is popular amongst insurance companies and CPA firms performing IT-related audits. CISM is very similar to the CISM, but has slightly less technical scope and more geared towards management.


The pass rate is slightly less than 50% and it is only offered twice per year, in June and December. (Update: Apparently, they are now offering a third exam per year in September, at select locations).


In addition to passing the four-hour exam, you'll have to apply for membership. They're relatively strict about both the years and type of experience required to become certified. They randomly audit a percentage of applicants. To discourage, they also required you to pass prior to being able to even apply, which could become a costly lesson for those trying to squeeze by with questionable experience.


You'll see a variety of salaries around the internet and from talking with people, however, they seem to gravitate towards $120,000 for both the CISM and CISSIP, with $110,000 for the CISA.


The certifications are worth obtaining, but I don't think they're worth maintaining over the long-term. I maintained mine for a couple of years, but between the annual membership costs and the CPEs, it is debatable.

If your goal is to work in information security, from a non-audit standpoint, I'd go after the CISSP, then perhaps the CISM. If your focus is on information security from an audit perspective, I'd go for the CISA, then likely go for the CISSP. The CISM would only be my first choice if I was a manager that wasn't coming from a technical or audit background.

Additional Info

The CISA and CISM can be found at ISACA's website ( and CISSP at ISC2's website (