CISA vs CISM: Which ISACA Cert Comes First?

The Short Answer

CISA and CISM are sibling certifications from ISACA, but they target different career paths. CISA is for IT auditors, validating audit, control, and assurance skills. CISM is for security managers, validating governance, programme management, and risk leadership skills. The "which comes first" question only matters if you are planning to hold both.

For most professionals, the answer is straightforward: pick the credential that matches your current career path. If you are in audit, take CISA. If you are in security management, take CISM. If you hold a hybrid role and plan to do both, take CISA first. This guide breaks down the comparison so you can choose with full information.

CISA vs CISM at a Glance

Feature	CISA	CISM
Full name	Certified Information Systems Auditor	Certified Information Security Manager
Issuer	ISACA	ISACA
Exam questions	150 multiple-choice	150 multiple-choice
Duration	4 hours	4 hours
Pass mark	450 out of 800 (scaled)	450 out of 800 (scaled)
Exam fee	$575 (member) / $760 (non-member)	$575 (member) / $760 (non-member)
Annual maintenance fee	$45 (member) / $85 (non-member)	$45 (member) / $85 (non-member)
Application processing fee	$50 (one-time)	$50 (one-time)
Experience required	5 years in IS audit, control, or security	5 years total, 3 in security management
Average salary (US)	~$110,000	$125,000-$160,000
First-attempt pass rate	~50-60%	~50-60%

Scope: The Fundamental Difference

The exams are structurally identical (150 questions, 4 hours, $575/$760, 450/800 pass mark) but cover completely different content.

CISA Covers Five Audit Domains

Domain	Approximate Weight
1. Information Systems Auditing Process	~21%
2. Governance and Management of IT	~17%
3. Information Systems Acquisition, Development, and Implementation	~12%
4. Information Systems Operations and Business Resilience	~23%
5. Protection of Information Assets	~27%

CISA tests how to audit IT systems: planning audits, executing fieldwork, documenting findings, assessing controls, and communicating results to management.

CISM Covers Four Management Domains

Domain	Approximate Weight
1. Information Security Governance	~24%
2. Information Risk Management	~30%
3. Information Security Programme Development	~27%
4. Information Security Incident Management	~19%

CISM tests how to run a security programme: setting strategy, managing risk, developing controls, and responding to incidents.

Exam Tip: CISA is about evaluating what others have built. CISM is about building and running it yourself. If you cannot picture yourself doing the day-to-day work of one, take the other.

Salary Comparison

Source / Role	CISA Salary	CISM Salary
US national average	$110,000	$125,000-$160,000
Entry-level (US)	$63,000-$79,000	Varies (most candidates already mid-career)
Mid-level (US)	$75,000-$100,000	$115,000-$135,000
Senior (US)	$100,000-$132,000	$145,000-$190,000
Senior audit manager	$150,000-$201,000+	N/A
Information Security Manager (US average)	N/A	$191,000

CISM commands a noticeably higher average because security management roles generally pay more than audit roles in 2026. That said, audit managers and senior audit partners in financial services and Big Four can match or exceed CISM salaries.

Career Tip: The CISA vs CISM salary gap reflects role pricing, not credential pricing. Both are valuable certifications, but the market pays differently for the work they validate.

Career Paths

Roles CISA Unlocks

IT Auditor: $70,000-$110,000
Senior IT Auditor: $90,000-$130,000
IT Audit Manager: $115,000-$160,000
Internal Audit Manager: $120,000-$165,000
Compliance Auditor: $80,000-$120,000
IT Risk Auditor: $90,000-$130,000
Senior Audit Partner / Director: $150,000-$220,000+

Roles CISM Unlocks

Information Security Manager: $130,000-$200,000
Security Programme Manager: $130,000-$180,000
IT Risk Manager: $120,000-$170,000
Compliance and Governance Manager: $115,000-$160,000
Director of Information Security: $160,000-$230,000
Deputy CISO / VP Security: $180,000-$300,000+

CISA roles typically sit in audit, internal audit, risk, or assurance functions. CISM roles sit in security operations, security programmes, or risk management functions. The two career tracks rarely converge below the director level.

Difficulty: How They Compare

Both exams are moderate to hard with similar pass rates (~50-60%). The difficulty profiles differ.

CISA Difficulty Profile

Heavy emphasis on audit methodology (planning, evidence, reporting)
Requires understanding of control frameworks (COBIT, COSO)
Tests audit judgement: which control is being tested, what risk does the deficiency create
Typical study time: 100-150 hours over 3 months

CISM Difficulty Profile

Heavy emphasis on risk management and governance
Requires senior management mindset
Tests "BEST answer" reasoning across four management domains
Typical study time: 120-180 hours over 3-4 months

CISA tends to be slightly more memorisation-friendly (audit frameworks are codified). CISM is slightly more judgement-driven. Neither is dramatically harder than the other.

When to Take CISA First, CISM Second

For candidates who plan to hold both certifications, CISA first is the conventional order. Two reasons.

1. CISA Maps Naturally to Mid-Career Experience

Most IT professionals encounter audit work earlier in their careers than they encounter security management. CISA fits the natural progression: technical role > exposure to audit > CISA > management role > CISM.

2. CISA Provides Governance Foundations

CISA's coverage of governance, control frameworks, and risk management provides foundations that make CISM easier later. CISM extends those foundations into active programme management.

The reverse order (CISM first, CISA second) is less common but works for security managers who want to add audit credibility for governance committee or board-facing roles.

Five Scenarios: Which Cert Comes First

Scenario 1: IT Auditor With 3 Years Experience (CISA First)

Obvious. CISA is purpose-built for your current role. Take it now. CISM may be useful later if you transition out of pure audit.

Scenario 2: Security Engineer Pivoting to Management (CISM First)

Take CISM. It validates the transition into management. CISA is unlikely to be useful unless you specifically move into audit later.

Scenario 3: Internal Auditor Considering Security (CISA First, CISM Later)

CISA validates your current work. CISM, taken later, opens the door to security management while keeping your audit credibility.

Scenario 4: Compliance Professional in Regulated Industry (Either, Lean CISM)

If your work is primarily compliance audit and assurance, CISA. If your work is increasingly about designing and running compliance programmes, CISM. Many compliance professionals in banking and healthcare end up holding both.

Scenario 5: Targeting CISO Eventually (CISM Primarily)

The CISO career stack favours CISM (or CISSP) over CISA. Most CISOs hold CISSP and/or CISM. CISA is less common at the CISO level unless the CISO came from an audit background.

For the broader leadership comparison, see CISSP vs CISM.

Cost: How They Compare

Both certifications have identical fees because they come from ISACA.

Item	CISA	CISM
Exam fee (member)	$575	$575
Exam fee (non-member)	$760	$760
Application processing fee	$50	$50
Annual maintenance fee (member)	$45	$45
ISACA membership (annual)	$135	$135
Typical training budget	$300-$2,000	$300-$2,000
Total realistic budget	$1,000-$3,000	$1,000-$3,000

Cost Tip: ISACA membership pays for itself if you sit any ISACA exam, because the $185 member discount per exam outweighs the $135 annual membership. If you plan to hold both CISA and CISM, joining ISACA is a no-brainer.

What Each Cert Will Not Do

CISA Will Not...

Make you a security manager (CISA is audit, not management)
Replace CISSP for senior security architecture roles
Validate technical penetration testing skill

CISM Will Not...

Replace CISA for pure audit roles
Substitute for CISSP in postings that name CISSP specifically
Validate hands-on technical security operations skill

The Combined Stack: When to Hold Both

Some senior professionals hold both CISA and CISM. The combination is most valuable in:

Regulated industries (banking, insurance, healthcare) where both credentials appear in role requirements
Big Four advisory practices where consultants move between audit and security engagements
CISO roles in heavily audited organisations where audit credibility complements management authority
Internal audit functions that include security audit and security advisory work

The maintenance cost for both is modest: $90 in annual fees plus 120 CPE hours total (renewable in 3-year cycles).

The Honest Verdict

CISA vs CISM is rarely a true choice; it is a sequence or a specialism question.

Take CISA if:

Your current or target role is IT audit, internal audit, or assurance
You enjoy evaluating and validating controls rather than building them
You work in compliance, risk advisory, or audit consulting

Take CISM if:

Your current or target role is security management or programme leadership
You enjoy designing and running security programmes
You are targeting CISO-track or senior security director positions

If you plan to hold both, take CISA first. The audit foundation makes CISM easier, and the order aligns with the natural career progression from technical or audit work into management.

Ready to Start Practising?

Both CISA and CISM reward candidates who practise applying judgement in scenario-based questions. ISACA exam questions are famous for two or more technically correct options where you must select the BEST. Practice builds the pattern recognition that separates a pass from a retake.

CertCrush offers practice exams for both CISA and CISM, built to match the format, domain weighting, and scenario style of each real exam. Every question includes a detailed explanation covering the audit-level or management-level reasoning behind the correct answer.

Create your free account and start your ISACA certification journey today.

CISA vs CISM: Which ISACA Certification Comes First?